CloudLinux Takes Action Against Zenbleed Vulnerability: Upcoming Patches

 

CL_zenbleed

CVE-2023-20593 (Cross-Process Information Leak on AMD Zenbleed systems) was published in the official security bulletin  on July 25th, 2023. Please read this security blog to learn more about this vulnerability.


Table of content:

1. Vulnerability description 

2. Mitigation guide for CloudLinux OS

3. Updates as of August 3, 2023 - clarification on OS versions required for mitigation

4. Updates as of August 11, 2023 - update command for CloudLinux OS 7 hybrid added 

 

The Zenbleed vulnerability, known as CVE-2023-20593 , allows data to be stolen at a rate of 30kb per second for each CPU core. This means it can quickly and effectively steal sensitive information that the CPU is handling. The risk is widespread and affects all software that operates on the compromised processor, such as virtual machines, sandboxes, containers, and processes. The fact that this attack can steal data from many virtual machines at once is causing a lot of concern for both cloud service providers and their users.

Every Zen 2 CPU, inclusive of EPYC Rome processors, is at risk to this vulnerability, as per Ormandy's statements:

  • AMD Ryzen 3000 Series Processors
  • AMD Ryzen PRO 3000 Series Processors
  • AMD Ryzen Threadripper 3000 Series Processors
  • AMD Ryzen 4000 Series Processors with Radeon Graphics
  • AMD Ryzen PRO 4000 Series Processors
  • AMD Ryzen 5000 Series Processors with Radeon Graphics
  • AMD Ryzen 7020 Series Processors with Radeon Graphics
  • AMD EPYC “Rome” Processors

The vulnerability can be exploited via arbitrary code execution that doesn't require elevated permissions. Ormandy has made available a repository of security research and exploit code. The exploit works by altering the register files to cause a mispredicted command.

 

How to solve the issue for CloudLinux customers? 

 

You can mitigate the issue by executing the following instructions: 

 

For CloudLinux 8 and 9 updated microcode is already in stable,  to update run:

dnf update linux-firmware

echo 1 > /sys/devices/system/cpu/microcode/reload

 

For CloudLinux 7 updated microcode is in beta (ETA for Stable repo is August 7, 2023),
to update run:

yum install --enablerepo=cloudlinux-updates-testing  linux-firmware

echo 1 > /sys/devices/system/cpu/microcode/reload

 

To check that the installation was completed successfully, you can run:

rpm -qa linux-firmware

 

Note!

Patches fix Zenbleed vulnerability only on AMD EPYC “Rome” Processors.

Patches for others mentioned processors will be available in the next releases of microcode.

We will keep you posted on the latest updates.


 

Update as of Aug 11, 2023:

 

For CloudLinux OS 7h update run the following commands:

yum install --enablerepo=cl7h_beta linux-firmware
echo 1 > /sys/devices/system/cpu/microcode/reload

 

Update as of Aug 3, 2023:

  • CloudLinux 8 version should be higher than
    linux-firmware-20230404-114.git2e92a49f.el8_8.alma.noarch.rpm

  • CloudLinux 9 version should be higher than
    linux-firmware-20230310-134.el9_2.alma.noarch.rpm

  • CloudLinux 7 version should be higher than
    linux-firmware-20200421-80.git78c0348.el7_9.cloudlinux.noarch

CloudLinux Takes Action Against Zenbleed Vulnerability: Upcoming Patches

 

CL_zenbleed

CVE-2023-20593 (Cross-Process Information Leak on AMD Zenbleed systems) was published in the official security bulletin  on July 25th, 2023. Please read this security blog to learn more about this vulnerability.


Table of content:

1. Vulnerability description 

2. Mitigation guide for CloudLinux OS

3. Updates as of August 3, 2023 - clarification on OS versions required for mitigation

4. Updates as of August 11, 2023 - update command for CloudLinux OS 7 hybrid added 

 

The Zenbleed vulnerability, known as CVE-2023-20593 , allows data to be stolen at a rate of 30kb per second for each CPU core. This means it can quickly and effectively steal sensitive information that the CPU is handling. The risk is widespread and affects all software that operates on the compromised processor, such as virtual machines, sandboxes, containers, and processes. The fact that this attack can steal data from many virtual machines at once is causing a lot of concern for both cloud service providers and their users.

Every Zen 2 CPU, inclusive of EPYC Rome processors, is at risk to this vulnerability, as per Ormandy's statements:

  • AMD Ryzen 3000 Series Processors
  • AMD Ryzen PRO 3000 Series Processors
  • AMD Ryzen Threadripper 3000 Series Processors
  • AMD Ryzen 4000 Series Processors with Radeon Graphics
  • AMD Ryzen PRO 4000 Series Processors
  • AMD Ryzen 5000 Series Processors with Radeon Graphics
  • AMD Ryzen 7020 Series Processors with Radeon Graphics
  • AMD EPYC “Rome” Processors

The vulnerability can be exploited via arbitrary code execution that doesn't require elevated permissions. Ormandy has made available a repository of security research and exploit code. The exploit works by altering the register files to cause a mispredicted command.

 

How to solve the issue for CloudLinux customers? 

 

You can mitigate the issue by executing the following instructions: 

 

For CloudLinux 8 and 9 updated microcode is already in stable,  to update run:

dnf update linux-firmware

echo 1 > /sys/devices/system/cpu/microcode/reload

 

For CloudLinux 7 updated microcode is in beta (ETA for Stable repo is August 7, 2023),
to update run:

yum install --enablerepo=cloudlinux-updates-testing  linux-firmware

echo 1 > /sys/devices/system/cpu/microcode/reload

 

To check that the installation was completed successfully, you can run:

rpm -qa linux-firmware

 

Note!

Patches fix Zenbleed vulnerability only on AMD EPYC “Rome” Processors.

Patches for others mentioned processors will be available in the next releases of microcode.

We will keep you posted on the latest updates.


 

Update as of Aug 11, 2023:

 

For CloudLinux OS 7h update run the following commands:

yum install --enablerepo=cl7h_beta linux-firmware
echo 1 > /sys/devices/system/cpu/microcode/reload

 

Update as of Aug 3, 2023:

  • CloudLinux 8 version should be higher than
    linux-firmware-20230404-114.git2e92a49f.el8_8.alma.noarch.rpm

  • CloudLinux 9 version should be higher than
    linux-firmware-20230310-134.el9_2.alma.noarch.rpm

  • CloudLinux 7 version should be higher than
    linux-firmware-20200421-80.git78c0348.el7_9.cloudlinux.noarch
imunify-logo

WEB SERVER SECURITY BLOG

Subscribe to CloudLinux Newsletter