Zenbleed - CVE-2023-20593
Zenbleed, aka CVE-2023-20593, was made public the 24th of July 2023, and was privately reported to AMD the 15thof May 2023. It’s a hardware vulnerability allowing to leak data from XMM registers on AMD’s Zen2 processors.
Linux added support
for the microcode update, and automatically enabled the chicken bit DE_CFG[9]
if the update isn’t applied.
For OpenBSD, De Raadt said:
OpenBSD does not use the AVX instructions to the same extent that Linux and Microsoft do, so this is not as important.
On Linux, glibc has AVX-based optimizations for simple functions (string and memory copies) which will store secrets into the register file which can be extracted trivially, so the impact on glibc-based systems is HUGE.
While working on our fixes, I ran the test programs for quite a while and I never saw anything resembling a ’text’ string. However when I ran a browser I saw streams of what was probably graphics-related fragments flowing past. The base system clearly uses AVX very rarely by itself.
In summary: in OpenBSD, this isn’t a big deal today. However, attacks built upon primitives always get better over time, so I urge everyone to install these workarounds as soon as our errata ship.
Running an untailored proof-of-concept for a couple of hours and managing to leak data from a web browser and calling it “not a big deal today” is pretty bold.
Or, as bla, admin from #io and exploit extraordinaire, put in on irc:
bla > pretty sure calling a bug that tavis finds low severity at first glance, is written on many tombstones.