It turns out that there is a vulnerability 'Zenbleed' that steals data in AMD CPU, data can be stolen regardless of virtual machines and containers

It has become clear that there is a vulnerability `` Zenbleed (CVE-2023-20593) ' ' that allows attackers to read data in AMD CPUs. The affected CPU is a model that uses the 'Zen2 architecture', and an attacker can obtain 30 kb of data per second per core.

Zenbleed
https://lock.cmpxchg8b.com/zenbleed.html

CVE-CVE-2023-20593
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593

Cross-Process Information Leak
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

Zenbleed was discovered by Google security researcher Tavis Ormandy . According to Ormandy, AMD's Zen2 architecture CPU has a vulnerability that prevents data from being written correctly, and an attacker can exploit the vulnerability to steal 30kb of data per second per core. Mr. Ormandy has also created Zenbleed's proof-of-concept code and has released how it actually reads data from the CPU.

First big result from our new CPU research project, a use-after-free in AMD Zen2 processors! ???? AMD have just released updated microcode for affected systems, please update! https://t.co/NVPWFpVopz pic.twitter.com/HgKwu9w8Av

— Tavis Ormandy (@taviso) July 24, 2023

Ormandy points out that the speed of '30 kb per second per core' is fast enough to steal user IDs and passwords. In addition, Zenbleed affects regardless of OS, and protection by virtual machines, sandboxes, and containers makes no sense.

At the time of writing, AMD evaluates Zenbleed's severity as 'Medium'. AMD also released microcode for modification for the second generation AMD EPYC (Rome). In addition, we plan to release modified firmware for consumer CPUs according to the following schedule.

https://github.com/google/security-research/tree/master/pocs/cpus/zenbleed