Huge ‘Zenbleed’ vulnerability in AMD Ryzen processors: Sensitive information is completely vulnerable!

A new vulnerability has been discovered affecting AMD’s Zen 2 processor lineup, which includes popular processors such as the budget-friendly Ryzen 5 3600, that could be exploited to steal sensitive data such as passwords and encryption keys. Google security researcher Tavis Ormandy first reported this vulnerability, designated “Zenbleed” (CVE-2023-20593) to AMD on May 15 and detailed it on his blog a while ago.

All processors with Zen 2 architecture are affected

The entire Zen 2 product line is affected, including all processors in the AMD Ryzen 3000/4000/5000/7020 series, the Ryzen Pro 3000/4000 series, and AMD’s EPYC “Rome” data center processors. AMD has released the projected release timeline for closure, and most firmware updates are not expected until later this year.

According to Cloudflare, the Zenbleed vulnerability does not require physical access to a user’s computer to attack and can even be run remotely via Javascript on a web page. If executed successfully, the open allows data to be transferred at 30 kbps per core per second. This speed is fast enough to steal sensitive data from any software. The ability of this attack to read data from virtual machines poses a threat, especially to cloud service providers and those using cloud applications.

undetectable

Worse still, Zenbleed is a direct architectural vulnerability so it cannot be avoided by any security software because it does not require any special system calls or privileges to obtain the data. In this respect, it is similar to the Specter and Meltdown exploits we have seen in previous years. Considering that it is easier to exploit the vulnerability, we can say that Zenbleed is more like Meltdown.

AMD has already released a microcode patch for the second generation EPYC 7002 series processors, but the next updates for the remaining CPU series are not expected until October 2023 at the earliest. The company has not disclosed whether these updates will affect system performance, but a statement AMD gave to TomsHardware suggests this is a possibility: “Any performance impacts will vary depending on workload and system configuration.”

Follow AMD’s microcode updates!

Both Ormandy, who discovered the vulnerability, and experts strongly recommend that AMD implement the microcode update. Ormandy states that some temporary software measures can be taken before the updates come, but he underlines that this temporary approach will cause performance loss. In the table below, you can see the processors affected by the Zenbleed vulnerability, the upcoming Agesa version and the patch date.