A critical vulnerability, named “Zenbleed,” has been discovered in AMD’s line of Zen 2 processors. This vulnerability can be exploited by attackers to steal sensitive data such as passwords and encryption keys. Tavis Ormandy, a security researcher from Google, disclosed the bug on his blog after reporting it to AMD in May.
The vulnerability affects the entire Zen 2 product stack, including popular processors like the AMD Ryzen 5 3600. It also impacts other processors within the AMD Ryzen 3000/4000/5000/7020 series, Ryzen Pro 3000/4000 series, and AMD’s EPYC “Rome” data center processors. AMD has published its anticipated release timeline for patching the exploit, but most firmware updates are not expected until later this year.
What makes Zenbleed especially dangerous is that it can steal data from any software running on an impacted system, including cloud-hosted services. Even more concerning is the fact that the exploit can be executed remotely through JavaScript on a webpage, without requiring physical access to the user’s computer. This means that cloud instances could potentially be compromised, posing a significant risk to users.
According to Cloudflare, the Zenbleed exploit allows data to be transferred at a rate of 30 kb per core, per second. This speed is fast enough to steal sensitive data from various software running on the system, such as virtual machines, sandboxes, containers, and processes. The flexibility of this exploit raises particular concerns for cloud-hosted services, as it could be used for unauthorized surveillance of users within those instances.
One of the worrisome aspects of Zenbleed is its ability to fly under the radar. The exploit doesn’t require any special system calls or privileges to be executed, making it challenging to detect. Tavis Ormandy, the security researcher who discovered the vulnerability, admits that he is not aware of any reliable techniques to detect its exploitation. The bug shares similarities with the Spectre class of CPU vulnerabilities, as it leverages flaws within speculative executions, but it is easier to execute, making it more similar to the Meltdown family of exploits.
To address the vulnerability, AMD has already released a microcode patch for second-generation Epyc 7002 processors. However, updates for the remaining CPU lines are not expected until October 2023, at the earliest. AMD has not disclosed if these updates will impact system performance, but they acknowledge the possibility. They state that the performance impact will vary depending on the workload and system configuration, and they are not aware of any known exploits of the vulnerability outside of the research environment.
In the meantime, impacted users are encouraged to apply AMD’s microcode update as soon as it becomes available. For those who don’t want to wait for the firmware update, Ormandy has provided instructions on his blog for a software workaround that can mitigate the vulnerability. However, it’s important to note that this workaround may also affect system performance.
Given the severity of the Zenbleed vulnerability and its potential impact on data security, it is crucial for AMD users to remain vigilant and take the necessary steps to protect their systems. Following the guidance provided by AMD and staying informed about any updates or patches is essential for mitigating the risk posed by this exploit.
