There is terrible news for anyone who owns or uses an AMD Ryzen 2 CPU: a new vulnerability has been identified that could allow confidential information to leak. Even worse, AMD, which has confirmed the vulnerability in a new study, claims that a remedy won’t be available anytime soon. Even worse, the attack may be launched via Javascript on a website and doesn’t even need physical access to the victim’s computer. It’s referred to as “Zenbleed,” because it affects all Zen 2 products, including Ryzen, Threadripper, and Epyc CPUs.
Tavis Ormandy, a Google security researcher, found the flaw, and he notified AMD about it on May 15. He just made it public, and based on the length of time it took Tom’s Hardware to reach out to AMD for a reaction, it appears that AMD wasn’t quite ready for the announcement. It affects all Epyc data center CPUs and Zen 2 processors from the 3000/4000/5000 family, including Threadripper 3000.
A register in “Zen 2” CPUs may not be written to 0 successfully under specified microarchitectural conditions, according to AMD’s security alert. This could result in data from another process or thread being saved in the YMM register, giving an attacker access to potentially sensitive data.
Due to a vulnerability, an attacker may be able to gather private information from a Zen 2 CPU at a rate of 30 kilobytes per core, per second, from any software that is currently running on the CPU. Local programmes, virtual machines, and cloud instances are all included in this. Encryption keys and user login information are examples of data that could be compromised.
Although it sounds terrible, AMD only rates this threat as “medium” in their security alert regarding the vulnerability. It may be because it informed Tom’s Hardware that it has not heard of this exploit being exploited anywhere other than a research environment.
