In May, Google security researcher Tavis Ormandy discovered the “Zenbleed” bug.
Ormandy has now disclosed the bug on his blog explaining how it can affect users.
Affected AMD CPUs
This new vulnerability can affect the company’s entire Zen 2 product stack. It includes processors like the AMD Ryzen 3000 / 4000 / 5000 / 7020 series along with the Ryzen Pro 3000 / 4000 series. AMD’s EPYC “Rome” data center processors have also been affected by the security flaw. The company has already published its anticipated release timeline for patching the exploit. Most firmware updates are expected to arrive by the end of 2023.
How this bug can affect users
Another report also claims that the flexibility of this exploit is a concern for cloud-hosted services. The bug has the potential to be used to spy on users who are a part of the cloud.
Moreover, Zenbleed can also avoid detection as it doesn’t require any special system calls or privileges to exploit.” I am not aware of any reliable techniques to detect exploitation,” said Ormandy.
How AMD has responded to the bug
AMD has already rolled out a microcode patch for second-generation Epyc 7002 processors. The next updates for the remaining CPU lines are expected to arrive by October. Users who don’t want to wait for the company to roll out the updates can also apply a software workaround to. However, Ormandy has warned that this workaround could also impact system performance. Moreover, even AMD hasn’t disclosed if these updates will impact system performance.
“We are aware of the AMD hardware security vulnerability described in CVE-2023-20593, which was discovered by Tavis Ormandy, a Security Researcher at Google, and we have worked with AMD and industry partners closely. We have worked to address the vulnerability across Google platforms,” a Google spokesperson told the publication.