|
Listen to this story
|
For the past few years, Intel has been facing the flak over security flaws in its processors, looks like it’s AMD’s turn now. Security researchers have found a new exploit, titled Zenbleed, in all AMD CPUs using the Zen 2 architecture which doesn’t even require physical hardware access; it can be exploited remotely. When considering the fact that these chips have been deployed in the enterprise environment, it creates a huge security issue that companies can’t yet solve.
The chipmaker has already rolled out an update for EPYC 7002 series chips, which have seen heavy adoption by cloud service providers and other HPC clients. However, AMD is yet to release a firmware update that can solve this issue. AMD has stated that the problem has not been further exploited, but it is only a matter of time before malicious actors find a way to leverage the issue.
Now, the race has begun, as AMD tries to roll out a firmware update to fix the problem before it is exploited. However, considering the sluggish nature with which enterprises adopt security updates, the Zenbleed problem might be bigger than it seems.
Zenbleed explained
Processor-level exploits are nothing new. Intel’s Meltdown and Spectre exploits caused a huge uproar in the computer world in 2018, and still are not patched completely. Zenbleed works similar to these exploits, as it uses the internal workings of the CPU to leak sensitive data strings, such as passwords and other credentials. The bug works by leveraging the limitations present in the CPU’s functioning known as XMM Register Merge Optimisations. At its base, it is a data leakage exploit, allowing a malicious actor to access the contents of CPU registers, which are commonly used to store short strings of text, which can include sensitive information like passwords.
Registers are software pointers to an area in the CPUs quick access memory, better known as cache. Similar to how deleted files aren’t actually deleted and just marked as empty space, registers set to a zero value aren’t actually wiped, but instead marked as zero with a flag. If this zero flag is rolled back, the malicious actor can gain access to the data stored in the registers’ storage shared among all CPU cores.
By gaining access to a part of the storage that is marked free, hackers can glean the information that is being written to the storage, which can potentially contain sensitive knowledge like passwords and credentials. This data can be extracted at a rate of 30 KB per core per second, giving attackers a stream of potentially sensitive data.
This exploit, given the designation CVE-2023-20593 under the common vulnerabilities and exploits (CVE) database, was discovered by white hat hacker and Google vulnerability researcher Tavis Ormandy. As mentioned previously, the attack does not require physical access to the hardware, and can even be executed through malicious Javascript code in websites.
The issue affects a wide variety of CPUs, including Ryzen 3000, 4000, and 5000 chips manufactured using the Zen 2 process. According to a statement by AMD, these consumer chips will get an update in November to December of this year that will patch this vulnerability. The EPYC class of chips used in the enterprise servers has already been patched before the public disclosure of this vulnerability, as they are the juiciest targets for malicious hackers.
Currently, this bug can be fixed from the software level through the operating system, but the security researcher has found that this comes with a performance penalty. Even though AMD was quick in rolling out a fix to the problem, there is no solution to the sluggish nature of enterprise patching practices.
Patch hesitancy leaves enterprises vulnerable
Some of the top attack vectors and methods that swept through the enterprise could have easily been avoided by timely patching of vulnerable hardware and software. Ransomware such as WannaCry, NotPetya, and SamSam were able to impact such a large number of devices due to vulnerabilities exposed by patched issues, and this is a widespread trend.
A report released by Microsoft in 2015 showed that most of its customers are breached through vulnerabilities that the company patched years ago. Another piece of research shows that 80% of data breaches could have been prevented by patching an issue on time. Add to this the statistic that organisations take on average 67 days to close a discovered vulnerability, and that 20% of vulnerabilities caused by unpatched software are high-risk or critical, and a disturbing picture of the enterprise begins to emerge. This isn’t even a resource problem; the seemingly simple problem of patching has a lot more pitfalls than are apparent.
According to a study, around 55% of companies revealed that they spend more time navigating the processes around patching than actually patching the issues. More than the sluggish nature of companies, research shows that around 72% of decision makers are also reluctant to push out patches in the fear of breaking the infrastructure in some way.
To remedy this solution, the organisational approach to cybersecurity needs to change. Fernando Serto, chief technologist and evangelist, APJC, at Cloudflare, told AIM, “My biggest recommendation for them is, they should be looking into how they can do the orchestration of [security] tools in the same way they do software development, because then it becomes very natural for them.”
While vulnerabilities like Zenbleed are fairly common, the real problem lies within the difficulty of rolling out the fixes. Also, security vulnerabilities get stronger the longer they are in the wild, so while Zenbleed might not be a big problem now, it might become the spearhead of a larger hack strategy.
