Tavis Ormandy, a Google Security researcher has discovered a new vulnerability affecting AMD’s Zen 2 processors. Dubbed Zenbleed, the security flaw could let attackers steal passwords, cryptographic keys, and other sensitive information from software running on vulnerable machines.
“The vulnerability in AMD’s Zen 2-architecture-based CPUs, wherein data from another process and/or thread could be stored in the YMM registers, a 256-bit series of extended registers, potentially allowing an attacker access to sensitive information. This vulnerability is caused by a register not being written to 0 correctly under specific microarchitectural circumstances. Although this error is associated with speculative execution, it is not a side channel vulnerability,” Cloudflare explained.
The Zenbleed vulnerability affects the following AMD Zen 2 processors:
AMD has since published a security advisory that describes the security flaw as a “cross-process information leak.” The company has also released a microcode patch for second-generation Epyc 7002 processors.
Meanwhile, AMD plans to roll out updates for high-end desktops in October, with Ryzen 4000 mobile processors to follow in November. Moreover, a fix for Ryzen 3000 and 4000 desktop CPUs and Ryzen 5000 and 7020 mobile processors is expected to be available in December this year.
It’s important to note that these updates may likely impact system performance depending on the workload and PC configuration. “Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment,” AMD said in a statement to Toms Hardware.
Ormandy has also detailed a temporary workaround solution that can be applied until a firmware update is available. The process involves setting a control bit that disables some functionality to block potential exploitation of the vulnerability. However, Ormandy warned that the workaround could cause some kind of performance hit.