A new security vulnerability has been discovered affecting Advanced Micro Devices Inc. Zen 2 processors that can be exploited to steal passwords and other sensitive data such as encryption keys.

Google security researcher Travis Ormandy revealed the bug on his blog Monday, naming it “Zenbleed,” which has been filed as CVE-2023-20593. It was first reported to AMD on May 15.

The new exploit affects all Zen 2 processors, which include Ryzen 3000/4000, Threadripper 3000, Ryzen 4000/5000/7020 mobile and Eypc Rome.

According to AMD’s own security bulletin, the vulnerability occurs only “under specific microarchitectural circumstances” and what happens is that a register in the CPU may not be written as “0” correctly. This causes data from another process and threads to be stored in an open “vector register,” allowing an attacker to access it. Since the exploit was detected rapidly and there was no use in the wild, AMD listed its severity as “Medium.”

Ormandy said that because of the nature of the exploit, the vulnerability bypasses the usual routes that an operating system uses to segregate memory from being read between processes. As a result, anything can be read from anywhere and the exploit would go completely undetected while happening.

“In the wake of vulnerabilities like Spectre and Meltdown, many additional vulnerabilities and attacks have been discovered by researchers investigating very specialized areas of code and hardware impacting CPUs,” Scott Caveza, a staff research engineer at Tenable Inc., told SiliconANGLE. “What makes Zenbleed different from other discoveries is that it is not a timing or sidechannel attack. Instead, contents from registers can be read directly.”

Caveza explained that this makes the attack particularly problematic to cloud providers because it means that the flaw exposes data being processed by virtual machines. “In essence, the data can be read as quickly as it’s processed and this could allow an attacker to access sensitive data such as passwords and cryptographic keys,” Caveza said. “This makes this vulnerability quite dangerous, especially in cloud or shared environments.”

Content delivery network Cloudflare Inc. said its network includes servers affected by Zenbleed, because it uses AMD’s Zen line of CPUs. Cloudflare’s researchers noted that the attack can be executed remotely via JavaScript via a website, meaning an attacker does not need direct access to a machine in order to steal information.

“We have seen no evidence of the bug being exploited and will continue to monitor traffic across our network for any attempts to exploit the bug and report on our findings,” the Cloudflare team said.

AMD is already rolling out patches for Zenbleed, beginning with affected Epyc chips, which are server-side processors. Threadripper chips will see patches appear around October and December, mobile Ryzen processors are expected to have patches around November, and desktops will be patched around December.

Image: Colin Behrens/Pixabay