Securing Your CloudLinux Server: Mitigating New Intel and AMD CPU Vulnerabilities
Since the recent updates on Zenbleed Vulnerability patching by the CloudLinux team, we're back with another update on cybersecurity issues. This time, we're dealing with the recent security vulnerabilities affecting Intel and AMD CPUs. CloudLinux is already on the case, and we're here to guide you through the necessary actions to keep your systems safe.
Understanding the Threats
Earlier this week, the tech community buzzed with reports of two new vulnerabilities that put Intel and AMD CPUs at risk: CVE-2023-20569 and CVE-2022-40982 (Downfall). Let's break down what they mean in simpler terms.
- CVE-2023-20569: A Vulnerability in AMD CPUs' Predictive Processing
This vulnerability affects some AMD CPUs and is all about speculative execution. On certain AMD CPUs, a potential vulnerability could grant attackers the ability to manipulate return address predictions. This manipulation could trigger speculative execution at an address controlled by the attacker, potentially resulting in the disclosure of sensitive information.
For a comprehensive explanation, you can find the detailed description here.
- CVE-2022-40982 (Downfall): A Vulnerability Revealing Intel CPU Data
Intel processors are the target here. It is a Gather Data Sampling (GDS) transient execution side-channel vulnerability which might enable a local attacker to utilize gather instructions (memory loading) to deduce outdated information from vector registers that were previously used on the same physical core
For an in-depth understanding, you can access the detailed description here.
Mitigation guide
Moving forward, the CloudLinux team is already working on solutions to address these vulnerabilities, and here are the mitigation steps for prompt execution.
Mitigating CVE-2023-20569
If you're on CloudLinux 7 or CloudLinux 7h, it's as simple as updating your linux-firmware package from a Beta chanel by running the following commands:-
- For CL7:
yum install linux-firmware --enablerepo=cloudlinux-update-testing
- For CL7h:
yum install linux-firmware --enablerepo=cl7h_beta
- For CL7:
For CloudLinux 8 and CloudLinux 9 mitigating the vulnerability involves installing the latest CPU microcode, which is accessible through AlmaLinux's upcoming release of the “linux-firmware package”. We will inform you as soon as this updated linux-firmware package becomes accessible in CloudLinux. And for now, you are welcome to join the AlmaLinux public testing group and download the packages already available for tests, via the following links:
-
-
- CL8: Download here
- CL9: Download here
- Then update the CPU microcode run the following command:
echo 1 > /sys/devices/system/cpu/microcode/reload
-
Mitigating CVE-2022-40982 (Dawnfall)
For those in the CloudLinux 7 and CloudLinux 7h club, you'll want to update your “microcode_ctl” package from the Beta channel with the following links:-
-
- For CL7:
yum install microcode_ctl --enablerepo=cloudlinux-update-testing
- For CL7h:
yum install microcode_ctl --enablerepo=cl7h_beta
- For CL7:
-
-
- CL8: Download here
- CL9: Download here
- Then update the CPU microcode run the following command:
echo 1 > /sys/devices/system/cpu/microcode/reload
Wrap Up
Updating your server's firmware and microcode might seem complex, but it's worth it. These actions act as shields against potential attacks. Remember, CloudLinux supports you through the process.
In summary, this guide covers recent Intel and AMD CPU vulnerabilities with CloudLinux's protective measures. Stay tuned for more updates on this topic! 🛡️🔒