CI Operators:
A speculative execution vulnerability has been discovered in AMD Zen2 CPUs [1]. This vulnerability has been dubbed "Zenbleed" [2] and is tracked as CVE-2023-20593 [3] with "Medium" severity.
Impact:
A malicious actor could steal sensitive data, such as passwords and encryption keys, resident in the CPU cores. Sensitive data could be extracted from any system operations, including those that take place in virtual machines, isolated sandbox environments, and containers. Even a malicious webpage, running some carefully crafted JavaScript, could exploit Zenbleed to snoop on information.
While there are currently no indications of this vulnerability being exploited in the wild, the researcher who discovered the vulnerability has published a proof-of-concept exploit, so the situation may soon change.
Affected Hardware:
AMD CPUs built on the Zen 2 architecture, including:
Recommendation:
Updated microcode/firmware is available from AMD for EPYC CPUs. Check with your O/S and hardware vendor for updates and apply when able. Until then, you can mitigate the issue by setting the chicken bit DE-CFG[9] at the cost of performance. To set the chicken bit on all cores in Linux, you can use the wrmsr/rdmsr commands found in the msr-tools package (typically not installed by default) as follows:
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
References:
[1] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html
[2] https://lock.cmpxchg8b.com/zenbleed.html
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.