AMD ‘Zenbleed’ Bug: Tavis Ormandy, a Google Information Security researcher, published a blog post yesterday describing a previously unknown vulnerability that he discovered in AMD’s Zen 2 CPUs. This is a significant vulnerability that affects the entire Zen 2 lineup. That implies Ryzen 2000/3000/4000/5000/7020 CPUs, as well as EPYC “Rome” data centre processors, are all affected.
This flaw allows for information theft on the processor. This includes user logins as well as encryption keys. It should be noted that this does not necessitate physical access to a computer or server system. Access could be gained via a webpage employing javascript and can leak approximately 30kb per core, every second.
AMD classifies this new bug as a medium-severity problem.
A register in “Zen 2” CPUs may not be reliably written to 0 under certain microarchitectural conditions. This may result in data from another process and/or thread being saved in the YMM register, potentially allowing an attacker to access sensitive information.
Tavis Ormandy claims to have notified AMD about the ‘Zenbleed’ vulnerability on May 15, 2023, and that AMD has already published a microcode upgrade for the affected chips. This microcode update may already be available from BIOS or operating system suppliers. It’s also worth noting that there’s a chance this will have an impact on performance.
The update is mostly for AMD’s EPYC “Rome” chips, which were just released. Customers that own Ryzen 2000/3000/4000/5000/7020 processors will have to wait even longer, with updates expected in November/December at the earliest. Tavis does offer a software fix for people who are unable to install the microcode upgrade.
Also Read:
