CloudLinux Takes Action Against Zenbleed Vulnerability: Upcoming Patches
CVE-2023-20593 (Cross-Process Information Leak on AMD Zenbleed systems) was published in the official security bulletin on July 25th, 2023. Please read this security blog to learn more about this vulnerability.
The Zenbleed vulnerability, known as CVE-2023-20593 , allows data to be stolen at a rate of 30kb per second for each CPU core. This means it can quickly and effectively steal sensitive information that the CPU is handling. The risk is widespread and affects all software that operates on the compromised processor, such as virtual machines, sandboxes, containers, and processes. The fact that this attack can steal data from many virtual machines at once is causing a lot of concern for both cloud service providers and their users.
Every Zen 2 CPU, inclusive of EPYC Rome processors, is at risk to this vulnerability, as per Ormandy’s statements:
- AMD Ryzen 3000 Series Processors
- AMD Ryzen PRO 3000 Series Processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series Processors
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7020 Series Processors with Radeon Graphics
- AMD EPYC “Rome” Processors
The vulnerability can be exploited via arbitrary code execution that doesn’t require elevated permissions. Ormandy has made available a repository of security research and exploit code. The exploit works by altering the register files to cause a mispredicted command.
How to solve the issue for CloudLinux customers?
Cloudlinux is still working on proper patches. However, you can mitigate the issue by executing the following instructions:
CloudLinux 8:
dnf update
https://build.almalinux.org/pulp/content/builds/AlmaLinux-8-x86_64-7032-br/Packages/l/linux-firmware-20230404-114.git2e92a49f.el8_8.alma.noarch.rpm
CloudLinux 9:
dnf update
To check that the installation completed successfully, you can run:
rpm -qa linux-firmware
To update CPU microcode run the following:
echo 1 > /sys/devices/system/cpu/microcode/reload
We will inform you as soon as the patches are in the stable repository.