Zenbleed - CVE-2023-20593
Zenbleed, aka CVE-2023-20593, was made public the 24th of July 2023, and was privately reported to AMD the 15thof May 2023. It’s a hardware vulnerability allowing to leak data from XMM registers on AMD’s Zen2 processors.
Linux added support
for the microcode update, and automatically enabled the chicken bit
if the update isn’t applied.
For OpenBSD, De Raadt said:
OpenBSD does not use the AVX instructions to the same extent that Linux and Microsoft do, so this is not as important.
On Linux, glibc has AVX-based optimizations for simple functions (string and memory copies) which will store secrets into the register file which can be extracted trivially, so the impact on glibc-based systems is HUGE.
While working on our fixes, I ran the test programs for quite a while and I never saw anything resembling a ’text’ string. However when I ran a browser I saw streams of what was probably graphics-related fragments flowing past. The base system clearly uses AVX very rarely by itself.
In summary: in OpenBSD, this isn’t a big deal today. However, attacks built upon primitives always get better over time, so I urge everyone to install these workarounds as soon as our errata ship.
Running an untailored proof-of-concept for a couple of hours and managing to leak data from a web browser and calling it “not a big deal today” is pretty bold.
Or, as bla, admin from #io and exploit extraordinaire, put in on irc:
bla > pretty sure calling a bug that tavis finds low severity at first glance, is written on many tombstones.