Amd: Google researcher discovers bug in AMD CPUs: How can it affect users – Times of India

A researcher with Google Information Security has found a hardware vulnerability with the potential to affect AMD’s line of Zen 2 processors. This flaw can be exploited to steal sensitive data like passwords and encryption keys. AMD’s affected processor lineup also includes popular CPUs like the budget-friendly Ryzen 5 3600.

In May, Google security researcher Tavis Ormandy discovered the “Zenbleed” bug.

Ormandy has now disclosed the bug on his blog explaining how it can affect users.
Affected AMD CPUs
This new vulnerability can affect the company’s entire Zen 2 product stack. It includes processors like the AMD Ryzen 3000 / 4000 / 5000 / 7020 series along with the Ryzen Pro 3000 / 4000 series. AMD’s EPYC “Rome” data center processors have also been affected by the security flaw. The company has already published its anticipated release timeline for patching the exploit. Most firmware updates are expected to arrive by the end of 2023.
How this bug can affect users
According to a report by Tom’s hardware, the Zenbleed exploit doesn’t require physical access to a user’s computer to attack their system. Hackers can exploit the bug by remotely executing it through Javascript on a webpage. The vulnerability can allow data transfers at a rate of 30kb per core, per second if executed successfully. Such speeds are fast enough to steal sensitive data from any software running on the system. This includes virtual machines, sandboxes, containers, and processes, Ormandy claims.
Another report also claims that the flexibility of this exploit is a concern for cloud-hosted services. The bug has the potential to be used to spy on users who are a part of the cloud.
Moreover, Zenbleed can also avoid detection as it doesn’t require any special system calls or privileges to exploit.” I am not aware of any reliable techniques to detect exploitation,” said Ormandy.

How AMD has responded to the bug
AMD has already rolled out a microcode patch for second-generation Epyc 7002 processors. The next updates for the remaining CPU lines are expected to arrive by October. Users who don’t want to wait for the company to roll out the updates can also apply a software workaround to. However, Ormandy has warned that this workaround could also impact system performance. Moreover, even AMD hasn’t disclosed if these updates will impact system performance.
“We are aware of the AMD hardware security vulnerability described in CVE-2023-20593, which was discovered by Tavis Ormandy, a Security Researcher at Google, and we have worked with AMD and industry partners closely. We have worked to address the vulnerability across Google platforms,” a Google spokesperson told the publication.