A new vulnerability has been discovered in AMD’s Zen 2 processors—one that allows data like passwords and encryption keys to be stolen from the CPU. Disclosed publicly this week by Google security researcher Tavis Ormandy, this bug affects consumer chips as well as server, including Ryzen 3000 series parts.
As detailed by Ormandy in a post, this “Zenbleed” vulnerability was first shared with AMD back in mid-May. It can be used to execute code through Javascript on a webpage—no physical access is needed for an affected PC. And if exploited successfully, Zenbleed allows attackers to see any CPU operation, including those happening in sandboxes or virtual machines. (You can catch the full technical rundown in Ormandy’s post, or a more summarized version in this Tom’s Hardware report.) All Zen 2 processors in the following processor families are affected:
- AMD Ryzen 3000 Series Processors
- AMD Ryzen PRO 3000 Series Processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series Processors
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7020 Series Processors with Radeon Graphics
- AMD EPYC “Rome” Processors
Currently, AMD has released a microcode update, though details about when and how it’ll appear in firmware updates for consumers has yet to be announced. (As told to Tom’s Hardware, AMD says the first patches have been for EPYC server CPUs.) If you don’t want to wait for AMD, Ormandy explains how to make a software tweak as a workaround—although its impact on performance is unknown.
AMD says it will release a security advisory about this vulnerability (filed as CVE-2023-20593), but until then, information about further patches—and if they will affect Zen 2 CPU performance—remains unknown at this time. So if you own a Zen 2 processor, you’ll want to keep an eye on the news, so you’ll know how to apply the mitigation (e.g., through Windows or BIOS update). Applying it promptly will be vital for your online security.