The new AMD vulnerability discovered by @taviso and his team makes all AMD zen2 processors vulnerable. Also known has Zenbleed.
I compiled the demo code and there we go, I can see lot of information getting leaked from the memory. Not great, it’s the AMD variant of the meltdown/spectre bug basically. It uses however an “optimization” operator (cvtsi2sd) to trigger the vulnerability in the CPU allowing to read 30kb/core/second of data. No special permissions required. Works on all platforms, all operating systems, VM or docker, it doesn’t matter…
This vulnerability was found using fuzzing, which is an automated way of injecting wrong input values and see when or if something breaks or not.
Currently only EPYC processors have received a fix. All other AMD Zen 2 processors are still fully vulnerable. There are also no BIOS firmware updates yet. I doubt wherever this premature public release from AMD was intentional or not…
More info: https://lock.cmpxchg8b.com/zenbleed.html
This has nothing to do with heartbleed. It’s a branch prediction error exploit, which is similar in spirit to meltdown/spectre which is what you’re thinking about. Why the authors would name it zenbleed is beyond me.
This won’t be fixed by a BIOS firmware upgrade. This will be fixed by a microcode update that will probably install automatically on all major platforms.
Ah you’re right I was thinking about the meltdown/spectre of Intel. Why they called it Zenbleed I’m not sure either. BIOS firmware upgrades can also fix CPU vulnerabilities.