AMD's Zen 2 chip has a security bug that will be patched between now and 2024.

General
AMD's Zen 2 chip has a security bug that will be patched between now and 2024.

Security Vulnerability Found in AMD Processors Built on Zen 2 Architecture The so-called "Zenbleed" vulnerability discovered by Google researchers threatens to open the door to potential attackers and potentially expose sensitive information. Don't worry, a fix is available, but we gamers will have to wait a little longer than our server-side peers to get it. [Zenbleed affects all Zen 2 processors, including Ryzen 3000/4000, Threadripper 3000, Ryzen 4000/5000/7020 mobile, and Epyc Rome generation.

The vulnerability, as AMD explains in its security bulletin, "under certain microarchitecture circumstances, a register on the 'Zen 2' CPU may not be written to 0 correctly. This could allow data from other processes or threads to be stored in the YMM registers, potentially giving an attacker access to sensitive information.

This vulnerability is rated as "Medium" severity by AMD, but a CVE (CVE-2023-20593) is not currently rated.

Tavis Ormandy, the discoverer of the vulnerability, further details how this exploit works in their blog post. They believe that the reason they found the bug, as opposed to AMD in their post-silicon development validation, is because they oddly enough do not have a background in electrical engineering. They credit a technique called "fuzzing" for sniffing out the bug. This is a method of testing strange and unexpected data on a computer to reveal unlikely architectural behavior.

Ormandy noted that the vulnerability works not only on common machines, but also on virtual machines, sandboxes, containers, processors, "anything."

Obviously, this is a huge problem for large cloud providers who take security very seriously. [After first pointing out the issue, AMD, when interviewed by Tom's Hardware, said it was not aware of any actual exploits outside of research environments. It seems unlikely that this vulnerability poses a threat to the average gamer, and it is the cloud provider rather than you or I who should be worried about potential attacks.

AMD was informed of this vulnerability on May 15, 2023 and has been working on mitigation since then.

Mitigations for Zenbleed have already begun rolling out, starting with the affected Epyc chips; Threadripper chips will be patched around October to December, depending on the model. Laptop Ryzen processors should begin to be fixed around November or December of this year.

Finally, desktop Ryzen processors will probably be patched around December of this year. As a result of the Spectre vulnerability that affected many chips, it was not that long ago that hardware mitigation was required to fix side-channel attack vulnerabilities in some Intel processors.

Nevertheless, it is not yet known how these patches will affect performance. It is not known at this time if they will affect gaming, but mitigations may. 23]

AMD told Tom's Hardware that "the performance impact will vary depending on workload and system configuration."

AMD has also stated that "the performance impact will vary depending on workload and system configuration.

As vague as this is about performance issues, there is still nothing to worry about. The important thing is to be aware of the new AGESA firmware and to protect your system in case some malicious person attempts to take advantage of this exploit. For desktop chips, this is ComboAM4v2PI_1.2.0.C or ComboAM4PI_1.0.0.C

.

Categories