A new vulnerability impacting AMD’s line of Zen 2 processors — which includes popular CPUs like the budget-friendly Ryzen 5 3600 — has been discovered that can be exploited to steal sensitive data like passwords and encryption keys. Google security researcher Tavis Ormandy disclosed the “Zenbleed” bug (filed as CVE-2023-20593) on his blog this week after first reporting the vulnerability to AMD on May 15th.

The entire Zen 2 product stack is impacted by the vulnerability, including all processors within the AMD Ryzen 3000 / 4000 / 5000 / 7020 series, the Ryzen Pro 3000 / 4000 series, and AMD’s EPYC “Rome” data center processors. AMD has since published its anticipated release timeline for patching out the exploit, with most firmware updates not expected to arrive until later this year.

According to Cloudflare, the Zenbleed exploit doesn’t require physical access to a user’s computer to attack their system, and can even be executed remotely through Javascript on a webpage. If successfully executed, the exploit allows data to be transferred at a rate of 30 kb per core, per second. That’s fast enough to steal sensitive data from any software running on the system, including virtual machines, sandboxes, containers, and processes, according to Ormandy. As TomsHardware notes, the flexibility of this exploit is a particular concern for cloud-hosted services as it could potentially be used to spy on users within cloud instances.

Worse still — Zenbleed can fly under the radar because it doesn’t require any special system calls or privileges to exploit. “I am not aware of any reliable techniques to detect exploitation,” said Ormandy. The bug shares some similarities with the Spectre class of CPU vulnerabilities in that it makes use of flaws within speculative executions, but it’s far easier to execute — making it more like Meltdown family of exploits. The full technical breakdown regarding the Zenbleed vulnerability can be found on Ormandy’s blog.

AMD has already released a microcode patch for second-generation Epyc 7002 processors, though the next updates for the remaining CPU lines aren’t expected until October 2023 at the earliest. The company hasn’t disclosed if these updates will impact system performance, but a statement AMD supplied to TomsHardware suggests it’s a possibility:

Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment.

Ormandy “highly recommends” that impacted users apply AMD’s microcode update, but has also provided instructions on his blog for a software workaround that can be applied while we wait for vendors to incorporate a fix into future BIOS updates. Ormandy warns that this workaround could also impact system performance, but at least it’s better than having to wait on a firmware update.