Select Page

A new security vulnerability has been discovered in AMD’s Zen 2 architecture-based processors that could be exploited to extract sensitive data such as encryption keys and passwords.

Discovered by Google Project Zero researcher Tavis Ormandy, the flaw – codenamed Zenbleed and tracked as CVE-2023-20593 (CVSS score: 6.5) – allows data exfiltration at the rate of 30 kb per core, per second.

The issue is part of a broader category of weaknesses called speculative execution attacks, in which the optimization technique widely used in modern CPUs is abused to access cryptographic keys from CPU registers.

“Under specific microarchitectural circumstances, a register in ‘Zen 2’ CPUs may not be written to 0 correctly,” AMD explained in an advisory. “This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.”

Web infrastructure company Cloudflare noted that the attack could even be carried out remotely through JavaScript on a website, thereby obviating the need for physical access to the computer or server.

images from Hacker News