Zenbleed (CVE-2023-20593)

[Fleury, Terry]

CI Operators:

A speculative execution vulnerability has been discovered in AMD Zen2 CPUs [1]. This vulnerability has been dubbed "Zenbleed" [2] and is tracked as CVE-2023-20593 [3] with "Medium" severity.

 

Impact:

A malicious actor could steal sensitive data, such as passwords and encryption keys, resident in the CPU cores. Sensitive data could be extracted from any system operations, including those that take place in virtual machines, isolated sandbox environments, and containers. Even a malicious webpage, running some carefully crafted JavaScript, could exploit Zenbleed to snoop on information.

 

While there are currently no indications of this vulnerability being exploited in the wild, the researcher who discovered the vulnerability has published a proof-of-concept exploit, so the situation may soon change.

 

Affected Hardware: 

AMD CPUs built on the Zen 2 architecture, including:

• AMD Ryzen 3000 Series Processors
• AMD Ryzen PRO 3000 Series Processors
• AMD Ryzen Threadripper 3000 Series Processors
• AMD Ryzen 4000 Series Processors with Radeon Graphics
• AMD Ryzen PRO 4000 Series Processors
• AMD Ryzen 5000 Series Processors with Radeon Graphics
• AMD Ryzen 7020 Series Processors with Radeon Graphics
• AMD EPYC “Rome” Processors

Recommendation:

Updated microcode/firmware is available from AMD for EPYC CPUs. Check with your O/S and hardware vendor for updates and apply when able. Until then, you can mitigate the issue by setting the chicken bit DE-CFG[9] at the cost of performance. To set the chicken bit on all cores in Linux, you can use the wrmsr/rdmsr commands found in the msr-tools package (typically not installed by default) as follows:

 

wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))

 

References:

[1] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

[2] https://lock.cmpxchg8b.com/zenbleed.html

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.