A new vulnerability has been discovered in AMD’s Zen 2 processors—which allows data such as passwords and encryption keys to be stolen from the CPU. Disclosed publicly this week by Google security researcher Tavis Ormandy, the flaw affects consumer and server chips, including Ryzen 3000 units.
As detailed and Ormandy in the post office, this “Zenbleed” vulnerability was first shared by AMD in mid-May. It can be used to generate code through Javascript on the website – no access to the PC is involved. And when used properly, Zenbleed allows attackers to see any CPU activity, including what’s happening in a sandbox or virtual machine. (You can find out all the technical details in Ormandy’s post, or an abbreviated version of this Report by Tom Hardware.) All Zen 2 processors in the following families are affected:
- AMD Ryzen 3000 Series processors
- AMD Ryzen PRO 3000 Series processors
- AMD Ryzen Threadripper 3000 Series processors
- AMD Ryzen 4000 Series processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series processors
- AMD Ryzen 5000 Series processors with Radeon Graphics
- AMD Ryzen 7020 Series processors with Radeon Graphics
- AMD EPYC “Rome” processors
Meanwhile, AMD has just released microcode updates for the 2nd generation EPYC server CPUs, along with safety advice description of the vulnerability (which was coded as CVE-2023-20593) and its mitigation plan.
For consumers, maintenance will be coordinated through original equipment manufacturers (for example, Dell or HP for pre-built PCs and laptops, and motherboard manufacturers for DIY PC builders), with arrival dates set for the end of this year. Threadripper 3000 units will start to have the new AGESA firmware in October, followed by Ryzen 4000 processors in November. For desktop CPUs Ryzen 3000 and 4000, as well as Ryzen 5000 and 7020 processors, the target is December 2023.
If you don’t want to wait for AMD, Ormandy explains how to do it additional software as a solution—although its effect on performance is unknown. The effect of AMD’s improvements on performance is not known at this time, although in a statement to Tom’s Hardware, AMD explained that it depends on the amount of work and the configuration of the PC.
Either way, if you have a Zen 2 CPU, you’ll want to put a reminder on your calendar to see the reduction. Using it quickly will be essential for your online security.
This article was updated on 7/24/2023 at 3:30pm to include more information about AMD’s plans to mitigate Zenbleed and the firmware update process.