The affected CPUs are the Ryzen 3000 desktop chips, but also the mobile Ryzen 4000 and 5000 series and the APUs for the latest generation “7020” laptops. As The Verge points out, the Ryzen Pro 3000 and 4000 and AMD EPYC “Rome” processors are also affected on the server/supercomputer side.
In detail and according to information from Cloudflare, this new vulnerability does not require physical access to the target computer to attack the system. In some cases, it can actually be controlled remotely with Javascript via a simple web page. Once the vulnerability is exploited, an attacker can transmit data at a rate of 30 kbit per CPU core per second.
A meager transfer speed, but more than enough to steal sensitive data from any software running on the system. A remark that extends to virtual machines or even processes, among other things. We also learn that the exploit used to exploit this flaw is flexible enough to allow, for example, user monitoring within a cloud instance.
After all, the exploit is already particularly difficult to detect. “I don’t know of any reliable exploitation detection technology,” admitted Travis Ormandy. The Verge also points out that this flaw shares some similarities with Specter, but is easier to exploit… making it similar to these Meltdown-type exploits in that sense.