/cdn.vox-cdn.com/uploads/chorus_asset/file/23262657/VRG_Illo_STK001_B_Sala_Hacker.jpg "The AMD ‘Zenbleed’ bug can be exploited to leak passwords from Ryzen CPUs")
A new security vulnerability has been discovered affecting AMD’s Zen 2 line of processors — which includes popular CPUs like the budget-friendly Ryzen 5 3600 — that could be exploited to steal sensitive data such as passwords and encryption keys. Google security researcher Tavis Ormandy exposed the “Zenbleed” bug (registered as CVE-2023-20593) on his blog This week after the vulnerability was first reported to AMD on May 15th.
The entire Zen 2 family of products is affected by the vulnerability, including all processors within the AMD Ryzen 3000/4000/5000/7020 series, the Ryzen Pro 3000/4000 series, and AMD’s EPYC “Rome” data center processors. Since then AMD published The expected release schedule to patch the vulnerability, with most firmware updates not expected to arrive until later this year.
Zenbleed could allow attackers to steal data from any software running on an affected system, including cloud-hosted services.
according to Cloud FlairThe Zenbleed exploit does not require physical access to a user’s computer to attack their system, and can even be executed remotely through Javascript on a web page. If implemented successfully, the exploit allows data to be transferred at a rate of 30 kilobytes per core per second. That’s fast enough to steal sensitive data from any software running on the system, including virtual machines, sandboxes, containers, and processes, according to Ormandy. like Toms It is noted that the resilience of this exploit is a particular concern for cloud-hosted services as it can be used to spy on users within cloud instances.
Even worse – Zenbleed can fly under the radar because it doesn’t require any special system calls or privileges to exploit. “I am not aware of any reliable exploit detection techniques,” Ormandy said. The bug shares some similarities with the Specter class of CPU vulnerabilities in that it uses the flaws in speculative implementations, but is much easier to implement – making it more like the Meltdown family of vulnerabilities. The full technical breakdown regarding the Zenbleed vulnerability can be found at Ormandy blog.
AMD has already released a microcode patch for the second generation Epyc 7002 processors, although the next updates for the remaining CPU lines aren’t expected until October 2023 at the earliest. The company did not reveal whether these updates would affect system performance, but a statement was provided by AMD to it Toms It is suggested that it is possible:
Any performance impact will vary based on workload and system configuration. AMD is not aware of any known exploitation of the vulnerability described outside of the research environment.
Ormandy strongly recommends that affected users apply the AMD microcode update, but has also provided instructions on its blog for a software workaround that can be implemented while they wait for vendors to incorporate a fix into future BIOS updates. Ormandy warns that this solution can also affect system performance, but at least it’s better than having to wait for a firmware update.
