'A recently disclosed bug in many of AMD's newer consumer, workstation, and server processors can cause the chips to leak data at a rate of up to 30 kilobytes per core per second, writes Tavis Ormandy, a member of Google's Project Zero security team. Executed properly, the so-called "Zenbleed" vulnerability (CVE-2023-20593) could give attackers access to encryption keys and root and user passwords, along with other sensitive data from any system using a CPU based on AMD's Zen 2 architecture. The bug allows attackers to swipe data from a CPU's registers. Modern processors attempt to speed up operations by guessing what they'll be asked to do next, called "speculative execution." But sometimes the CPU guesses wrong; Zen 2 processors don't properly recover from certain kinds of mispredictions, which is the bug that Zenbleed exploits to do its thing. The bad news is that the exploit doesn't require physical hardware access and can be triggered by loading JavaScript on a malicious website. The good news is that, at least for now, there don't seem to be any cases of this bug being exploited in the wild yet, though this could change quickly now that the vulnerability has been disclosed, and the bug requires precise timing to exploit. "AMD is not aware of any known exploit of the described vulnerability outside the research environment," the company told Tom's Hardware. Networking company Cloudflare also says there is "no evidence of the bug being exploited" on its servers. Since the vulnerability is in the hardware, a firmware update from AMD is the best way to fully fix it; Ormandy says it is also fixable via a software update, but it "may have some performance cost." The bug affects all processors based on AMD's Zen 2 architecture, including several Ryzen desktop and laptop processors, EPYC 7002-series chips for servers, and Threadripper 3000- and 3000 Pro WX-series CPUs for workstations.' -- source: https://arstechnica.com/information-technology/2023/07/encryption-breaking-p... Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, Hamilton, NZ Mobile +64 22 190 2375 https://www.cs.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/