Sunday, August 29th 2021

Meltdown-like Vulnerability Affects AMD Zen+ and Zen2 Processors

Cybersecurity researchers Saidgani Musaev and Christof Fetzer with the Dresden Technology University discovered a novel method of forcing illegal data-flow between microarchitectural elements on AMD processors based on the "Zen+" and "Zen 2" microarchitectures, titled "Transient Execution of Non-canonical Accesses." The method was discovered in October 2020, but the researchers followed responsible-disclosure norms, giving AMD time to address the vulnerability and develop a mitigation. The vulnerability is chronicled under CVE-2020-12965 and AMD Security Bulletin ID "AMD-SB-1010."

The one-line summary of this vulnerability from AMD reads: "When combined with specific software sequences, AMD CPUs may transiently execute non-canonical loads and store using only the lower 48 address bits, potentially resulting in data leakage." The researchers studied this vulnerability on three processors, namely the EPYC 7262 based on "Zen 2," and Ryzen 7 2700X and Ryzen Threadripper 2990WX, based on "Zen+." They mention that all Intel processors that are vulnerable to MDS attacks "inherently have the same flaw." AMD is the subject of the paper as AMD "Zen+" (and later) processors are immune to MDS as demonstrated on Intel processors. AMD developed a mitigation for the vulnerability, which includes ways of patching vulnerable software.

Find the security research paper here (PDF), and the AMD security bulletin here. AMD's mitigation blueprint can be accessed here.
Add your own comment

41 Comments on Meltdown-like Vulnerability Affects AMD Zen+ and Zen2 Processors

#1
Tardian
They mention that all Intel processors that are vulnerable to MDS attacks "inherently have the same flaw."
Crickets chirping ..................... Usual negative comments from Intel enthusiasts strangely lacking? :D

BTW my signature block was in no way influenced by the Ryzen logo above. I have been interested in black holes and neutron stars for about 50 years. I got a major site, much bigger than TPU, to stop referring to the EHT image as a photograph (others helped). Andy may have a different opinion.
Posted on Reply
#2
londiste
They mention that all Intel processors that are vulnerable to MDS attacks "inherently have the same flaw."
Who, where? Sounds like they simply mean MDS vulnerabilities.
The only place research paper mentions Intel at all is this part in the introduction:
While Spectre-type attack targets wide families of CPUs from different vendors, Meltdown-type attacks were targeting mostly Intel CPUs.
The predominant focus of previous research on Intel may mean that other vendors’ CPUs were not investigated as thoroughly and may still have undiscovered microarchitectural vulnerabilities.
Edit:
I was wrong about Intel not being mentioned. The search does not work properly in the PDF. Found the source of that sentence:
Page 4All Intel CPUs that are vulnerable to MDS attacks inherently have the same flaw described here. We tested one MDS-resistant Intel(R) Core(TM) i7-10510U, and we did not detect such a flaw.
Posted on Reply
#3
olymind1
In this case what do endusers need to do to be protected?

For example, i have an MSI B450 Tomahawk (latest stable bios is from last july based on AGESA ComboAm4PI 1.0.0.6) with a Ryzen 3600x, with the latest chipset driver and win10 is kept up-to-date.
Posted on Reply
#4
Sihastru
And as usual, AMD sweeps things under the rug, shifting the responsibility to the software developers:

Mitigation

AMD recommends that SW vendors analyze their code for any potential vulnerabilities related to this type of transient execution. Potential vulnerabilities can be addressed by inserting an LFENCE or using existing speculation mitigation techniques.
Posted on Reply
#5
GeorgeJr
Don't you just love that misinforming article title?
Posted on Reply
#6
R-T-B
SihastruAnd as usual, AMD sweeps things under the rug, shifting the responsibility to the software developers:
They haven't issued correcting microcode as well?

AFAIK this is also Intels advice, but they couple it with mitigating microcode.
Posted on Reply
#7
user556
Going by the title, both Zen1 and Zen3 don't have the vulnerability. That would make it a regression that's already been corrected.
Posted on Reply
#8
Crackong
So it is hardware fixed in Zen3 ?
Posted on Reply
#9
Sihastru
R-T-BThey haven't issued correcting microcode as well?
No, and it won't ever be addressed, other than that 8-page PDF showing a few assembler code snippets that software developers should look out for.

Consider some small piece of code written in a high level language, let's say the Fibonacci sequence, that's going to be about 8 lines of code. In assembler that's going to translate to at least 40 lines of code. Now apply some scale economics and think of a 1 to 5 million line project. That's not a small project, but it's not necessarily a huge one either. For example, an old version of Photoshop, CS6, has about 4.5 million lines of code. In assembler, that would be at least 25 million lines of code. And this is probably undercutting it by a fair amount.

AMD says good luck with that.
Posted on Reply
#10
lexluthermiester
After having read the data sheet pdf, it seems clear to me this is a minor vulnerability which is why AMD classified it as "Medium" severity. The reason is detailed in the pdf. The vulnerability is present, but difficult to use for data capture, requires a perfect storm of conditions(including attacker physical presence, remote attacks are extremely unlikely) and even if successful will yield only that data which is present in the CPU L2/L3 at the time of execution. This is almost nothing-sauce.
R-T-BAFAIK this is also Intels advice, but they couple it with mitigating microcode.
www.amd.com/en/corporate/product-security/bulletin/amd-sb-1010
Potential vulnerabilities can be addressed by inserting an LFENCE or using existing speculation mitigation techniques as described in [2].
No microcode updates are needed as existing mitigations are easily adapted to resolve the problem.
Posted on Reply
#11
Rus4kova
It's funny ... whenever a new Intel release is approaching we get all these ... AMD is bad AMD is insecure AMD is trash Intel wrecks AMD in 1 test and so on.
I wonder where it's all coming from? and why reporters are eating it raw.
Posted on Reply
#12
Sihastru
AMD publicly disclosed the vulnerability this month. It has nothing to do with Intel's new releases calendar.
Posted on Reply
#13
Makaveli
Glad i'm on Zen 3 and ya that title certainly needs work.
Posted on Reply
#14
mtcn77
Rus4kovaIt's funny ... whenever a new Intel release is approaching we get all these ... AMD is bad AMD is insecure AMD is trash Intel wrecks AMD in 1 test and so on.
I wonder where it's all coming from? and why reporters are eating it raw.
That is what they have got to do, if they step out of line it is over for them. Decency is the last thing reported.
Posted on Reply
#15
medi01
"Meltdown like" as in "kinda vulnerability, but not even remotely as bad as Meltdown".

That's some advanced usage of the word "like"... :D
SihastruIt has nothing to do with Intel's new releases calendar.
AMD release does not.
Misleading article title, on the other hand... :peace:
Posted on Reply
#16
lexluthermiester
medi01Misleading article title, on the other hand...
I disagree, the title of the article is a fair assessment of the situation, just not the severity.
Posted on Reply
#17
R-T-B
lexluthermiesterNo microcode updates are needed as existing mitigations are easily adapted to resolve the problem.
That's not intel's take, nor mine. Software doesn't recompile itself. Disappointing this is AMDs philosophy.
Posted on Reply
#18
lexluthermiester
R-T-BThat's not intel's take, nor mine. Software doesn't recompile itself. Disappointing this is AMDs philosophy.
Um, ok. You read the whitepaper pdf then?
Posted on Reply
#19
MentalAcetylide
In the eyes of these companies, you're just a toilet bug that they're profiting off of. When it comes to making money and cutting costs, they all behave the same way. When it comes down to it, its more of a personal preference of which you're able/willing to tolerate. :laugh:

P.S.: Can we get a "toilet bug" emoji? :laugh:
Posted on Reply
#20
JAB Creations
GeorgeJrDon't you just love that misinforming article title?
Yeah, AMD has a vulnerability and Intel has it but let's focus 99% on AMD because that is objective.</sarcasm>
Posted on Reply
#21
R-T-B
lexluthermiesterUm, ok. You read the whitepaper pdf then?
Yeah, I glanced at it but this really isn't technical to understand. I disagree with AMDs approach to remedy this. You'd need to hope all software is "spectre-vulnerability ready." That is not realistic to expect in a closed source ecosystem like windows.

Anything that purely shifts the blame to the vendor of the software like this is as good as nothing, it's passing the buck, and that's all.
Posted on Reply
#22
MentalAcetylide
JAB CreationsYeah, AMD has a vulnerability and Intel has it but let's focus 99% on AMD because that is objective.</sarcasm>
Yeah, looks like we have ourselves a set of butt cheeks in front of us with some security business to attend to. One cheek is stamped with Intel, and the other AMD. You can never go wrong regardless of which one we kick, but if we kick the same one too much, for some reason it just gets bigger with all the swelling and the pair end up being out of proportion. Both Intel & AMD need to be addressing security issues given how ubiquitous this stuff is throughout the industries.
Posted on Reply
#23
lexluthermiester
R-T-BYeah, I glanced at it but this really isn't technical to understand. I disagree with AMDs approach to remedy this. You'd need to hope all software is "spectre-vulnerability ready." That is not realistic to expect in a closed source ecosystem like windows.

Anything that purely shifts the blame to the vendor of the software like this is as good as nothing, it's passing the buck, and that's all.
I think you might be misunderstanding this situation. AMD isn't passing the buck, they are saving time and money for everyone. The mitigation for this vulnerability is just a minor, easily made, change to existing mitigations. As I said, it's almost nothing-sauce.
JAB CreationsYeah, AMD has a vulnerability and Intel has it but let's focus 99% on AMD because that is objective.</sarcasm>
On page 4, section 5 of the pdf, the researchers clearly define the Intel side of things by stating:
We also tested Intel CPUs for such behaviour. All Intel CPUs that are vulnerable to MDS attacks inherently have the same flaw described here.
They did not elaborate further as existing meltdown mitigations are very likely to solve the problem. While this was not stated(and yes it should have been), it was implied.
Posted on Reply
#24
londiste
lexluthermiesterThey did not elaborate further as existing meltdown mitigations are very likely to solve the problem. While this was not stated(and yes it should have been), it was implied.
They did elaborate further and MDS mitigations seem to work against it:
All Intel CPUs that are vulnerable to MDS attacks inherently have the same flaw described here. We tested one MDS-resistant Intel(R) Core(TM) i7-10510U, and we did not detect such a flaw.
Posted on Reply
#25
lexluthermiester
londisteThey did elaborate further and MDS mitigations seem to work against it:
But that's a hardware fix only for one series of Intel CPU's, not for all that are vulnerable.
Posted on Reply
Add your own comment