What is the ‘Zenbleed’ Exploit and 7 Ways to Prevent it Now

In 2018, the discovery of the Meltdown and Spectre CPU vulnerabilities sent shockwaves through the tech industry. These hardware flaws allowed attackers to steal sensitive data like passwords and encryption keys from computers, smartphones, and cloud servers. Now, in 2023, history is unfortunately repeating itself. 

A new exploit called Zenbleed has emerged, taking advantage of similar speculative execution processes in AMD’s Zen architecture chips. AMD reported gross revenue of $23.6 billion in 2022, which provides a frightening insight into just how many AMD chips power consumer devices and enterprise servers worldwide.  

In this blog, we’ll explain how Zenbleed works, which AMD processors are affected, and, most importantly, what you can do right now to protect yourself and your organization.

What is the Zenbleed Exploit and How Does it Work?

The Zenbleed exploit is a silicon-level bug that Google infosec guru Tavis Ormandy discovered. It can be exploited to steal passwords, cryptographic keys, and other sensitive data, and it affects Ryzen and Epyc Zen 2 chips, which belong to the AMD Zen2 CPU family.

Zenbleed involves abusing speculative execution, a technique modern processors use to improve performance by executing instructions before they are needed. It takes advantage of a feature in contemporary x86 processors called vector registers, which applications and operating systems use to perform math operations and process strings. 

If an instruction called ‘vzeroupper‘ is speculatively executed, the processor marks the affected registers as zero and allows those registers to be used for other operations. If the processor later realizes it shouldn’t have speculatively executed the ‘vzeroupper’ instruction, it tries to undo the zeroing. However, by this point, other codes will likely use the registers. Therefore, they are no longer marked as zero, meaning their contents from the previous operation are now accessible to that other code.

Malware running on a system or a rogue logged-in user without special privileges can easily exploit this behavior. It enables the attacker to inspect data as it is processed by applications and the operating system, which can include private information like passwords.

What Was the Impact of the Zenbleed Exploit?

The Zenbleed exploit significantly impacts the security of systems running AMD’s Zen 2 processors, including popular CPUs like the Ryzen 5 3600 and the entire Zen 2 product stack. The exploit allows attackers to steal data from any software on an impacted system. It’s also speculated that the Zenbleed exploit could slow down the performance of Zen 2 CPUs. 

One of the major concerns about Zenbleed is its ability to execute remotely without requiring physical access to a user’s computer. Additionally, Zenbleed can operate under the radar as it doesn’t require any special system calls or privileges to exploit, which makes detecting exploitation difficult and increases the risk of unanticipated data breaches.

AMD has responded to the Zenbleed vulnerability by issuing a security advisory and releasing a microcode patch for Epyc 7002 processors. However, the tech industry doesn’t expect updates for most other impacted processors until late 2023. This delay in patches potentially leaves many systems vulnerable to the exploit for an extended period.

7 Ways to Prevent the Zenbleed Exploit

Here are seven actionable tips to help you stay vigilant and secure and prevent the Zenbleed exploit. 

1. Update your CPU microcode

AMD has released microcode updates that address the Zenbleed issue in affected Zen 2 processors. These updates patch the vulnerability at the CPU level by adequately handling the vzeroupper instruction that was being abused. There are two main ways to get the microcode update:

• Through a BIOS/UEFI firmware update from your device OEM – Many device manufacturers will release firmware updates that include AMD’s microcode patch. Check your manufacturer’s website for updated BIOS or UEFI firmware and install it.
• Through your operating system – Recent operating system updates may also deploy the new microcode. Make sure you are on the latest OS version to get the microcode patch applied.

Applying the microcode update is the official fix recommended by AMD and provides the complete patch for Zenbleed. Mitigations like the chicken bit may have reduced performance or don’t fully address the issue. Installing the microcode update should be a priority for any systems running vulnerable Zen 2 processors. In addition, SpectralOps can help automate and validate patching and other OS hardening best practices across your environment.

2. Keep your operating system, browsers, applications, and drivers fully updated

While the microcode update patches the issue at the CPU level, software vendors may also release updates to help mitigate potential exploits targeting Zenbleed:

• Operating Systems – Keep your OS fully updated. Updates may include changes to reduce or eliminate certain speculation side channel attacks.
• Web Browsers – Browser vendors like Mozilla and Google may release updates that disable specific speculation optimizations when running on affected CPUs.
• Applications – Apps like email clients and office suites may also get updates to disable speculation or better protect sensitive memory.
• Drivers – Updated GPU, network, and other drivers may improve isolation or include changes to reduce vulnerabilities like Zenbleed.

As a best practice, regularly check your OS and software vendor sites/update mechanisms for the latest versions. Automating OS and software updates is highly recommended for the newest mitigations. Combining microcode fixes with software updates provides overlapping layers of protection against potential exploits of the Zenbleed bug. 

3. Use the ‘chicken bit’ mitigation

On Linux and FreeBSD systems, you can set the ‘chicken bit’ CPU flag to prevent abuse of the vulnerability. The ‘chicken bit’ is a hardware mitigation on AMD Zen 2 processors that prevents the speculative execution behavior leading to the Zenbleed vulnerability.

Linux:

• Use the msr kernel module to set bit 9 of the DE_CFG MSR (at offset 0xc0011029):

modprobe msr

# wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))

This will persist across reboots.

FreeBSD:

• Use cpucontrol(8) utility:

cpucontrol -m DE_CFG:9=1

To make this persist, add the following to /boot/loader.conf:

cpu_microcode_load="YES" cpu_microcode_name="/boot/zen2_microcode.bin"

The chicken bit disables specific speculative execution capabilities of Zen 2 CPUs that Zenbleed abuses. However, it can result in reduced performance in some workloads.

The chicken bit mitigation can be useful if microcode updates are not available for your system yet, but updating the CPU microcode is recommended over the chicken bit where possible.

4. Disable simultaneous multithreading (SMT)

Simultaneous multithreading (SMT) allows a single physical CPU core to act as two logical cores by running two thread contexts in parallel. However, SMT can allow cross-thread data leakage through side-channel attacks like Zenbleed, as the two threads share certain internal processor states like caches. 

Disabling SMT prevents this cross-thread leakage by only allowing one thread context per physical core. It can be disabled in the BIOS/UEFI settings of most systems. On Linux, you can also disable it temporarily by using the kernel parameter nosmt

• Edit the grub config to add nosmt to the kernel parameters.
• During boot enter edit mode and add nosmt to the Linux line.

The drawback of disabling SMT is reduced performance, as you lose the extra throughput of having two threads per core.

5. Enable virtualization-based security

Modern CPUs from AMD and Intel provide virtualization capabilities like AMD-V and Intel VT-x to support running virtual machines (VMs) and containers.

These virtualization features can be used to provide additional security isolation between the host system and virtualized environments, making it much harder for speculative execution attacks like Zenbleed to leak data from inside VMs. Some specific capabilities that help mitigate Zenbleed in VMs are:

• Encrypted State (AMD-SEV/Intel TDX) – Encrypts VM memory to prevent unauthorized access
• Shadow Paging (AMD NPT/Intel EPT) – Isolates and protects VM memory pages
• Direct Device Assignment – GPUs and devices assigned directly to a VM are inaccessible to host

The advantage of this approach over disabling SMT is that you can isolate the sensitive VMs/containers without compromising overall system performance. Also, SpectralOps validates hypervisor configurations and ensures proper policy enforcement for isolation, as per security hardening best practices. 

6. Limit the use of vulnerable instructions 

Although the Zenbleed attack mainly abuses speculative execution triggered by the vzeroupper instruction, other instructions can also lead to speculative executions. These include instructions like:

• AVX – Advanced Vector Extensions
• SSE – Streaming SIMD Extensions 
• Branch prediction instructions

Random number generation functions, searching/sorting algorithms, neural network inference, and image processing are some key areas you need to consider since they tend to use AVX and SSE.

7. Separate sensitive workloads 

Organizations should consider running highly sensitive workloads on non-vulnerable hardware, away from systems affected by Zenbleed. For example:

• Isolate key management servers like hardware security models (HSMs) on dedicated hardware not using Zen 2 CPUs.
• Run workloads processing health data, PII, and financial info on unaffected servers.
• Don’t perform highly sensitive tasks like audits or compliance processes on shared infrastructure.
• Deploy dedicated crypto accelerators for encryption/signing operations.
• Use hardened servers for PKI, identity management, and authentication systems.

Non-vulnerable hardware could include older AMD processors or Intel-based systems unaffected by this specific issue. Using instance types/families that don’t use Zen 2 CPUs could be an option for cloud environments. 

Lock It Down: Proactive Steps to Get Ahead of Emerging Threats

The recent discovery of the Zenbleed vulnerability in AMD’s Zen2 processors serves as an important reminder that a security monitoring strategy requires constant vigilance. While AMD has released mitigations, the potential for new exploits means organizations must remain proactive. 

Implementing a layered security strategy with controls like patching, encryption, access management, continuous security monitoring tools, and more can significantly reduce your attack surface and risk exposure. Though no single solution is foolproof, taking a defense-in-depth approach makes it much harder for attackers to be successful. 

With Spectral, you can automate the process of assessing configurations and protecting access credentials, keys, and other sensitive data. Spectral provides the visibility, detection, and response capabilities security teams need. 

Get a free trial today.