A new vulnerability affecting AMD’s Zen 2 line of processors, which includes popular CPUs like the budget Ryzen 5 3600, has been discovered and could be used to steal sensitive data such as passwords and encryption keys. Google security researcher Tavis Ormandy disclosed the “Zenbleed” bug CVE-2023-20593) is open his blog After first reporting the vulnerability for AMD this week on May 15th.
The entire Zen 2 product stack is affected by the vulnerability, including all processors in the AMD Ryzen 3000 / 4000 / 5000 / 7020 series, the Ryzen Pro 3000 / 4000 series, and AMD’s EPYC “Rome” data center processors. AMD has been around ever since has been published its expected release schedule to address the exploit, most firmware updates are not expected to arrive until later this year.
Zenbleed can allow attackers to steal data from any application running on an affected system, including cloud-hosted services.
according to Cloudflare, the Zenbleed exploit does not require physical access to a user’s computer to attack a user’s system, and can even be executed remotely via Javascript on a web page. If executed successfully, the exploit allows data to be transferred per core at a rate of 30 kb per second. According to Ormandy, this is fast enough to steal sensitive data from any application running on the system, including virtual machines, sandboxes, containers and processes. whom TomsHardware notes that the flexibility of this exploit is of particular concern for cloud-hosted services, as it could potentially be used to spy on users on cloud instances.
Even worse – Zenbleed can fly under the radar because it requires no special system calls or privileges to use. “I’m not aware of reliable methods for exploit detection,” Ormandy said. The flaw shares some similarities with the Specter class of CPU vulnerabilities in that it exploits flaws in speculative execution, but is easier to execute – making it more similar to the Meltdown family of exploits. Full technical information on the Zenbleed vulnerability can be found here Ormandy’s blog.
AMD has already released a microcode patch for its second-generation Epyc 7002 processors, although the next updates for the rest of the CPU lines aren’t expected until October 2023 at the earliest. The company did not say whether these updates will affect system performance, but AMD said in a statement TomsHardware means that there is a possibility that:
Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploits of the described vulnerability outside of the research environment.
Ormandy “highly recommends” that affected users apply AMD’s microcode update, but has provided instructions on its blog for a software solution that can be applied while we wait for vendors to include a fix in future BIOS updates. Ormandy warns that this workaround may also affect system performance, but at least it’s better than waiting for a firmware update.