From The Verge: A new vulnerability impacting AMD’s line of Zen 2 processors — which includes popular CPUs like the budget-friendly Ryzen 5 3600 — has been discovered that can be exploited to steal sensitive data like passwords and encryption keys. Google security researcher Tavis Ormandy disclosed the “Zenbleed” bug (filed as CVE-2023-20593) on his blog this week after first reporting the vulnerability to AMD on May 15th.
The entire Zen 2 product stack is impacted by the vulnerability, including all processors within the AMD Ryzen 3000 / 4000 / 5000 / 7020 series, the Ryzen Pro 3000 / 4000 series, and AMD’s EPYC “Rome” data center processors. AMD has since published its anticipated release timeline for patching out the exploit, with most firmware updates not expected to arrive until later this year.
According to Cloudflare, the Zenbleed exploit doesn’t require physical access to a user’s computer to attack their system, and can even be executed remotely through Javascript on a webpage. If successfully executed, the exploit allows data to be transferred at a rate of 30 kb per core, per second. That’s fast enough to steal sensitive data from any software running on the system, including virtual machines, sandboxes, containers, and processes, according to Ormandy. As TomsHardware notes, the flexibility of this exploit is a particular concern for cloud-hosted services as it could potentially be used to spy on users within cloud instances.
View: Full Article