Microsoft Confirms New Encryption Bug Could Damage Data on Latest AMD & Intel CPUs With VAES Instructions, Patch To Reduce Performance
While AMD & Intel CPUs are the highlights, virtually any system that is running a PC with the following instructions is affected and susceptible to data damage:
AES XEX-based tweaked-codebook mode with ciphertext stealing (AES-XTS) AES with Galois/Counter Mode (GCM) (AES-GCM)
As for the list of CPUs that are affected by this bug, those include Intel CPUs starting the 10th Gen Ice Lake and above, Ice Lake-SP Xeon Scalable processors for servers, and AMD CPUs starting the Zen 3 lineup plus the upcoming Zen 4 chips. For Zen 3, both the non-V-Cache and 3D V-cache parts are affected. Alder Lake & Raptor Lake CPUs don’t officially support VAES but it can be enabled on some motherboards with custom BIOS firmware.
AMD CPUs Affected: Ryzen 5000, Ryzen 5000X3D, EPYC Milan, EPYC Milan-X, EPYC Genoa Intel CPUs Affected: Ice Lake, Tiger Lake, Alder Lake (Partial), Raptor Lake (Partial), Ice Lake-SP, Sapphire Rapids-SP
The root cause of this bug happened when Microsoft added new code paths to Windows 11 and Windows Server 2022 versions of SymCrypt to take advantage of the VAES instructions offered by the latest CPUs. SymCrypt is the core cryptographic library in Windows. These instructions act on Advanced Vector Extensions (AVX) registers for hardware with the newest supported processors. However, these code paths opened up a vulnerability that could lead to permanent data damage. Now there’s already a resolution and workaround which is to install the June 23, 2022 preview of the aforementioned operating systems but it is reported by Microsoft that after applying the new update, PCs will notice slower performance (up to 2x slower) in applications such as:
BitLocker Transport Layer Security (TLS) (specifically load balancers) Disk throughput, especially for enterprise customers
Microsoft states that users will have to wait for a month for a proper patch to be rolled out but till then, the only workaround to avoid data damage is to switch to lower performance on the older update. News Source: WindowsReport
Windows 11 (original release) - KB5014668 Windows Server 2022 - KB5014665
Or Install the July 12, 2022 security release for your OS; see below:
Windows 11 (original release) - KB5015814 Windows Server 2022 - KB5015827
via Microsoft