Recently, a cybersecurity researcher discovered a dangerous vulnerability within AMD’s Zen 2 processors. Dubbed “Zenbleed,” the vulnerability allows attackers to gain access to your computer and steal all of the most sensitive information, including passwords and encryption keys. While this doesn’t affect AMD’s best processors, it’s still a dangerous vulnerability with a wide reach, as it’s present in all Zen 2 CPUs, including consumer chips and data center EPYC processors. AMD has a fix on the way, but it might come at a price.
The bug was first spotted by Tavis Ormandy, a researcher working with Google Information Security, who made it public at the end of July. Since then, the researcher has also released a proof of concept code that shows how it works. This, while useful, might help attackers exploit this vulnerability until AMD comes up with a fix.
While the first patch is already here, most consumers will need to wait until as late as November and December, and right now, there are no good solutions. Tom’s Hardware tested the only option currently available to consumer-level processors, which is a software patch that only lasts until you reboot your PC.
Tom’s Hardware tried the software solution in order to see just how badly performance can be affected by a possible fix, and the news isn’t great, but it could also be worse. Gamers remain virtually unaffected, so you can rest easy if you use your CPU inside a gaming PC. However, productivity applications take a hit during many workloads, with performance drops ranging from 1% to 16% depending on the software.
Zenbleed exploits a flaw in Zen 2 chips to extract data at a rate of 30kb per core, so the better the processor, the faster the extraction. This attack affects every kind of software that’s running on the processor, including virtual machines and sandboxes. The fact that it can steal data from virtual machines is especially worrying, given the fact that it affects AMD EPYC CPUs that run in data centers.
AMD deemed Zenbleed to be of medium severity, describing the flaw as follows: “Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.”
It’s worth noting that AMD is not alone in battling this kind of vulnerability on its older chips. Intel, for instance, has recently been dealing with the Downfall bug, and the performance drops from possible fixes are severe, reaching up to 36%.
Regardless of the technicalities, any flaw that allows hackers to steal practically any information stored within a PC sounds dangerous enough, especially if it can do so without being detected — which Zenbleed can. Unfortunately, Zen 2 owners will have to choose between leaving themselves exposed to the effects of Zenbleed and sacrificing some performance to stay secure, unless AMD can manage to iron these things out in time.