What you need to know
- The 'Zenbleed' bug hits AMD's Zen 2 line-up specifically.
- The bug can leak user data in some cases.
- No fix is coming until Q4 of this year.
Yesterday a researcher with Google Information Security named Tavis Ormandy made a post on his blog about a not previously identified vulnerability that he found to be plaguing AMD's Zen 2 processors. This is a pretty big vulnerability that includes all of the Zen 2 line-up. That means Ryzen 2000/3000//4000/5000/7020 are all hit as well as EPYC "Rome" data center processors.
This bug allows for theft of information on the processor. This would include user logins and encryption keys. Note that this does not require physical access to a computer or server system. Access could be gained through a webpage using javascript for instance and can leak about 30kb per core, per second. AMD rates this as a medium severity issue.
AMD explained in straightforward terms how this process actually works:
Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.
AMD
Tavis Ormandy notes that he alerted AMD of this 'Zenbleed' vulnerability on May 15, 2023 and that AMD has already released a microcode update for the affected processors. BIOS or Operating System vendors may already have an update available that includes this microcode update. It's worth noting that there's also a possibility that this will incur a performance cost.
The fix is mainly for AMD's EPYC "Rome" processors which only just rolled out. Ryzen 2000/3000//4000/5000/7020 consumers are unfortunately going to have to wait a lot longer, with fixes scheduled to arrive by November/December at the earliest. Tavis does provide a software workaround for those unable to apply the microcode update.
