Encryption-Breaking, Password-Leaking Bug In Many AMD CPUs Could Take Months To Fix
"Arthur T Knackerbracket" writes:
Arthur T Knackerbracket has processed the following story:
A recently disclosed bug in many of AMD's newer consumer, workstation, and server processors can cause the chips to leak data at a rate of up to 30 kilobytes per core per second, writes Tavis Ormandy, a member of Google's Project Zero security team. Executed properly, the so-called "Zenbleed" vulnerability (CVE-2023-20593) could give attackers access to encryption keys and root and user passwords, along with other sensitive data from any system using a CPU based on AMD's Zen 2 architecture.
[...] The bad news is that the exploit doesn't require physical hardware access and can be triggered by loading JavaScript on a malicious website (according to networking company Cloudflare). The good news is that, at least for now, there don't seem to be any cases of this bug being exploited in the wild yet, though this could change quickly now that the vulnerability has been disclosed, and the bug requires precise timing to exploit.
"AMD is not aware of any known exploit of the described vulnerability outside the research environment," the company told Tom's Hardware. Cloudflare also says there is "no evidence of the bug being exploited" on its servers.
Since the vulnerability is in the hardware, a firmware update from AMD is the best way to fully fix it; Ormandy says it is also fixable via a software update, but it "may have some performance cost." The bug affects all processors based on AMD's Zen 2 architecture, including several Ryzen desktop and laptop processors, EPYC 7002-series chips for servers, and Threadripper 3000- and 3000 Pro WX-series CPUs for workstations.
The article mentions that the firmware update for EPYC 7002 is already out, but updates for consumer-market chips may not be available until December.
Read more of this story at SoylentNews.