AMD to Fix “Zenbleed” Vulnerability Affecting its Zen 2 CPUs
- Laurent Giret
- Jul 25, 2023
-
0
A pretty serious security vulnerability has been discovered in AMD’s Zen 2 family of CPUs that powers desktop PCs, laptops, as well as data centers. This new “Zenbleed” security flaw was first discovered by Tavis Ormandy, a vulnerability researcher working for Google’s Project Zero team. It can potentially allow attackers to steal security information from Zen 2 CPUs including passwords and encryption keys.
Zenbleed is a speculative execution vulnerability, similar to the Spectre and Meltdown vulnerabilities that were discovered in Intel, AMD, and ARM chips back in 2018. This type of vulnerability leverages the CPU process known as speculative execution as an attack vector to compromise register files and access sensitive information on a device.
Windows Intelligence In Your Inbox
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
This new “Zenbleed” security flaw doesn’t require physical access to a device to be exploited. On his blog, Ormandy has a pretty detailed technical explanation of how this vulnerability works. Cloudflare, which uses AMD Zen 2 CPUs on some of its servers, also published a slightly more practical explanation of it.
“The ‘Zenbleed’ flaw affects the entire Zen 2 product stack, from AMD’s EPYC data center processors to the Ryzen 3000 CPUs, and can be exploited to steal sensitive data stored in the CPU, including encryption keys and login credentials. The attack can even be carried out remotely through JavaScript on a website, meaning that the attacker need not have physical access to the computer or server,” the Cloudflare team explained.
AMD has now published a security advisory detailing when it’s planning to release microcode updates to mitigate this new vulnerability on its Zen 2 family of CPUs. The company has already released patches for its EPYC 7002 ‘Rome’ processors for data centers, but updates for Zen 2 desktop and mobile CPUs won’t be released until October at the earliest.
In a statement shared with Tom’s Hardware, AMD said that it’s not aware of the vulnerability already being used by attackers, which is something that Cloudflare also said today. AMD also added that customers may also expect a performance impact after installing microcode updates. “Any performance impact will vary depending on workload and system configuration,” an AMD spokesperson said.