19 votes

Zenbleed - Zen 2 hardware vulnerability

Posted by riQQ
Tags: hardware, security.vulnerability, cpu, zen.2, amd, author.tavis ormandy
https://lock.cmpxchg8b.com/zenbleed.html

Link information

This data is scraped automatically and may be incorrect.

Title
Zenbleed
Authors
Tavis Ormandy
Word count
1990 words

5 comments

  1. riQQ
    Link

    This technique is CVE-2023-20593 and it works on all Zen 2 class processors, which includes at least the following products:

    • AMD Ryzen 3000 Series Processors
    • AMD Ryzen PRO 3000 Series Processors
    • AMD Ryzen Threadripper 3000 Series Processors
    • AMD Ryzen 4000 Series Processors with Radeon Graphics
    • AMD Ryzen PRO 4000 Series Processors
    • AMD Ryzen 5000 Series Processors with Radeon Graphics
    • AMD Ryzen 7020 Series Processors with Radeon Graphics
    • AMD EPYC “Rome” Processors

    We reported this vulnerability to AMD on the 15th May 2023.
    AMD have released an microcode update for affected processors. Your BIOS or Operating System vendor may already have an update available that includes it.

    11 votes
  2. [3]
    qob
    Link
    How would a malicious actor exploit this? Do I just have to visit a malicious website or do they have to run code outside of the browser? What's the worst case scenario for personal computers?

    How would a malicious actor exploit this? Do I just have to visit a malicious website or do they have to run code outside of the browser? What's the worst case scenario for personal computers?

    5 votes
    1. [2]
      riQQ
      Link Parent
      According to the following quote, visiting a malicious website with JavaScript enabled would suffice to carry out the exploit. https://www.theregister.com/2023/07/24/amd_zenbleed_bug/

      According to the following quote, visiting a malicious website with JavaScript enabled would suffice to carry out the exploit.

      Malware already running on a system, or a rogue logged-in user, can exploit Zenbleed without any special privileges and inspect data as it is being processed by applications and the operating system, which can include sensitive secrets, such as passwords.
      It's understood a malicious webpage, running some carefully crafted JavaScript, could quietly exploit Zenbleed on a personal computer to snoop on this information.

      https://www.theregister.com/2023/07/24/amd_zenbleed_bug/

      4 votes
      1. qob
        Link Parent
        Thanks! I was going to invest in a 5600G, but it sounds like those are affected. And no patch until December! What a bummer.

        Thanks!

        I was going to invest in a 5600G, but it sounds like those are affected. And no patch until December! What a bummer.