We're fully patched against Zenbleed

If you've been getting into tech-heavy news sites in the past few days, you might have seen some warnings about a new vulnerability called Zenbleed. It was alarming to us, because a lot of MyHost servers contain the AMD chips that were affected. But the good news today is that all of our infrastructure is now patched against Zenbleed.

This is the latest example of our expert team getting on top of issues as quickly as possible. For us, the best outcome is when our customers don't even notice issues before we've solved them.

What Zenbleed is: The short version (with links)

Zenbleed is a vulnerability in every processor (aka chip or CPU) manufactured by AMD with the popular Zen 2 architecture. It doesn't matter what operating system (OS) or software runs on the processor - the issue is with the hardware itself. You might remember the names "Spectre" and "Meltdown" from 2018. They were similar vulnerabilities that affected a different set of processors made by other manufacturers, notably Intel.

We moved fast to protect all our servers and customers from the day that Zenbleed was publicly disclosed.

It takes a lot of words and diagrams to explain exactly how Zenbleed can be exploited. What's important to know is that attacks can be performed remotely - "even via javascript on a webpage", according to Tom's Hardware.

Once an attacker is in, they can "spy in real time, viewing data flowing throughout the system". That data could include passwords, and much else besides. (That's abridged from XDA's very thorough article).

It doesn't appear that Zenbleed has led to many attacks actually happening. That said, it's essentially impossible to look at a website, server or chip and tell whether Zenbleed has been exploited. But no successful attacks have been reported by the researchers who found Zenbleed, the chip manufacturer AMD, or any other commentators we've read.

A very widespread issue

We were very, very far from alone in having servers to patch. Zen 2 architecture is a feature of millions of AMD chips around the world. It was introduced in 2019 and WikiChip counts 83 different models with the architecture. AMD branded their Zen 2 server chips as "EPYC".

But it's not just servers. You can find Zen 2 architecture inside laptops, desktops, even PlayStation 5s and the fourth-generation Xbox (Series X and S).

All affected MyHost servers are patched

We moved fast to protect all our servers and customers from the day that Zenbleed was publicly disclosed. AMD had been quietly alerted to the issue in May, and they had a microcode update ready to go when the news was released to the world.

Our team is highly attuned to security bulletins from suppliers like AMD, so within hours of their disclosure on June 24 we were already working on patching Zenbleed.

Because server outages were required, and because we’re always incredibly careful when it comes to testing and implementing new patches, the entire process took a few days. We also like to give systems some time to run before we write “all clear” articles like this one. But we’re happy to report that the job is done, Zenbleed is not an issue for any of our servers, and that we kept disruptions for our customers to the lowest practical level.

More reading for real nerds

• The Verge’s article was one of the more readable reports from the first 24 hours, and has a lot of links to other sources.
• Security researcher Travis Ormandy led the discovery of Zenbleed and was the person who initially disclosed it to AMD. As you'd expect, his write-up is very, very technical.
• On Cloudflare’s blog three authors, including their Head of Hardware Security, have done an admirable job of turning that technical detail into something that probably won’t melt regular peoples’ brains.
• Zenbleed doesn't have its own Wikipedia page (yet?), but it's one of many examples in the Transient execution CPU vulnerability article.

Main photo by Krzysztof Hepner on Unsplash