Researchers at cloud security startup Wiz are reporting that a whopping 62 percent of AWS environments may be exposed to the newly documented Zenbleed information leak vulnerability in AMD Zen 2 processors.
In a research note posted Wednesday, Wiz calculated that more than 60 percent of AWS environments are running EC2 instances with Zen 2 CPUs and may therefore be affected by the use-after-free memory corruption bug.
Zenbleed, discovered and documented by Project Zero’s Tavis Ormandy, impacts all Zen 2 processors, including Ryzen 3000 (PRO and Threadripper), 4000 (PRO), 5000, 7020, and Epyc (Rome). The issue can be exploited by malicious hackers to steal sensitive data, such as passwords and encryption keys. It is tracked as CVE-2023-20593.
As previously reported, AMD has started releasing microcode updates and the vendor has also advised customers to apply AGESA firmware updates. For some products, the updates are expected to become available in the last quarter of 2023.
Wiz researchers are amplifying the warnings, noting that the flaw can be exploited by an attacker with unprivileged access to an affected machine to escalate privileges or gain access to data.
The company said it combed through its data and found that a vast majority of cloud environments are running the vulnerable Epyc server (“Rome”), which is a CPU designed for data centers.
Wiz is also noting that patches are available from Google Cloud Platform (GCP) while fixes from AWS are expected to be released once testing is complete.
Related: AMD CPU Flaw ‘Zenbleed’ Can Expose Sensitive Information
Related: Intel, AMD Address Multiple Bugs With Patch Tuesday Bulletins
Related: Chipmaker Patch Tuesday: Intel, AMD Address Over 100 Vulns
Related: AMD Processors Expose Sensitive Data in ‘SQUIP’ Attack
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
- CrowdStrike to Acquire Application Intelligence Startup Bionic
- HiddenLayer Raises Hefty $50M Round for AI Security Tech
- Microsoft AI Researchers Expose 38TB of Data, Including Keys, Passwords and Internal Messages
- Extradited Russian Hacker Behind ‘NLBrute’ Malware Pleads Guilty
- Caesars Confirms Ransomware Hack, Stolen Loyalty Program Database
- AuthMind Scores $8.5M Seed Funding for ITDR Tech
- Zero-Day Summer: Microsoft Warns of Fresh New Software Exploits
Latest News
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
