Security AMD Zenbleed Zero Day Speculative Security Vulnerability On AMD Zen 2 Processors CVE-2023-20593

A new zero day security vulnerability has been announced for AMD Zen 2 family processors called Zendbleed https://lock.cmpxchg8b.com/zenbleed.html

From AMD 'Zenbleed' bug lets hackers steal data from Ryzen CPUs | PCWorld

---

 

Lucky for me my Linode KVM VPS are AMD EPYC Milan 3rd generation 7xx3 = AMD EPYC 7713

Code (Text):

lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                4
On-line CPU(s) list:   0-3
Thread(s) per core:    1
Core(s) per socket:    4
Socket(s):             1
NUMA node(s):          1
Vendor ID:             AuthenticAMD
CPU family:            25
Model:                 1
Model name:            AMD EPYC 7713 64-Core Processor
Stepping:              1
CPU MHz:               1999.989
BogoMIPS:              4001.64
Hypervisor vendor:     KVM
Virtualization type:   full
L1d cache:             64K
L1i cache:             64K
L2 cache:              512K
L3 cache:              16384K
NUMA node0 CPU(s):     0-3

Upcloud VPS users will need to contact support I'd imagine as they use AMD EPYC Rome 2nd gen = AMD EPYC 7542 Rome

Code (Text):

lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                1
On-line CPU(s) list:   0
Thread(s) per core:    1
Core(s) per socket:    1
Socket(s):             1
NUMA node(s):          1
Vendor ID:             AuthenticAMD
CPU family:            23
Model:                 49
Model name:            AMD EPYC 7542 32-Core Processor
Stepping:              0
CPU MHz:               2894.560
BogoMIPS:              5789.12
Hypervisor vendor:     KVM
Virtualization type:   full
L1d cache:             64K
L1i cache:             64K
L2 cache:              512K
L3 cache:              16384K
NUMA node0 CPU(s):     0
Flags:                 fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm art rep_good nopl extd_apicid eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw perfctr_core ssbd rsb_ctxsw ibrs ibpb stibp vmmcall fsgsbase tsc_adjust bmi1 avx2 smep bmi2 rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 retpoline_amd arat umip spec_ctrl intel_stibp

 

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

For data center CPUs

 

AlmaLinux has test patches for Zenbleed AlmaLinux OS - Forever-Free Enterprise-Grade Operating System

 

Cloudflare Blog regarding AMD Zenbleed https://blog.cloudflare.com/zenbleed-vulnerability/

 

Usually I'd agree. Though Cloudflare themselves already took the very same patches and applied it to their entire AMD EPYC Zen2 fleet of servers. They wouldn't do that if their folks with knowledge deemed it OK to do so - same as AlmaLinux folks. Though in AlmaLinux's case they're only releasing it for testing. Of course side effects depending on hardware used aren't truly known yet

 

Isn't that expected given AlmaLinux is no longer 1:1 clone of RHEL? AlmaLinux used Grafana's direct upstream source patch https://git.almalinux.org/rpms/grafana/commit/0ee7429587298d987cde5406df203320de227083

That seems normal to me. My PHP-FPM EOL 5.6, 7.0-7.4 backported security patches are also from official php.net backported patches too

Seems the actual backport patch is from Grafana upstream source while the unit test patched (0011-fix-alert-test.patch) is from CentOS Stream?

Code (Text):

# https://gitlab.com/redhat/centos-stream/rpms/grafana/-/blob/3731c12a8956d50514a58d9aa2f2d330d4ee32b6/0007-fix-alert-test.patch
Patch11: 0011-fix-alert-test.patch
# Patch was taken from grafana github sources and backported for 9.0.9
# git diff v9.2.19 v9.2.20 -- pkg/
Patch12: 0012-CVE-2023-3128.patch

 

?? Both patches resulting diff's look the same to me grafana-almalinux-vs-rockylinux-patch-compare - Diff Checker ?

 

Personally, I don't see the problem. You do what needs to be done to solve a problem

AlmaLinux are releasing the AMD Zenbleed patch on July 27th it seems https://almalinux.discourse.group/t/zenbleed-patch-release-7am-eastern-us-time-7-27-23/2802

They're also inviting for user feedback on how they should be handling these in future

 

In contrast Rocky Linux is contining 1:1 clone RHEL compatibility so they decide to wait on RHEL's response https://forums.rockylinux.org/t/zen...s-rocky-linux-working-on-it/10812/2?u=eva2000. But RHEL are confusingly saying 'not affected' ? Which is true for Kernel package 2217845 – (CVE-2023-20593, zenbleed) CVE-2023-20593 hw: amd: Cross-Process Information Leak

Edit: looks like they updated cve-details to list as Affected.

So will be while to wait on RHEL and Rocky Linux to address AMD Zenbleed. Yeah takes time to test patches so sort of expected.

From
2217845 – (CVE-2023-20593, zenbleed) CVE-2023-20593 hw: amd: Cross-Process Information Leak

 

Yeah that would be expected if AlmaLinux is not pursuing 1:1 RHEL clone state. When I refer to doing what you need to do to solve a problem, I was thinking back when I inspected some of RHEL's .spec file source RPM files and patches, they sometimes take upstream open source updates/backports and alter the code so it works with RHEL's package/version dependencies = RHEL does whatever it needs to do to make it work with what they have.

In AlmaLinux's defence, Redhat later changed AMD Zendbled to affected for all but RHEL 6 - so RHEL 7, 8, 9 are all affected cve-details. Just Redhat was either slow off the mark or incorrectly diagnosed AMD Zenbleed from the initial bug report discussion at least 2217845 – (CVE-2023-20593, zenbleed) CVE-2023-20593 hw: amd: Cross-Process Information Leak

But yes the microcode/linux firmware fix is for small set of AMD Zen2 CPUs, rest would need vendor BIOS updates from motherboard manufacturers which for mobile/desktop AMD Zen2 aren't scheduled until Oct-Dec 2023! For some folks impacted, would be quicker to switch/upgrade the CPU to AMD Zen3 or AMD Zen4 based

 

Definitely understand that

Yeah a fine balance between adequate testing and urgency for zero day security vulnerabilities

 

Just did a yum update on my AlmaLinux 8 and AlmaLinux 9 Centmin Mod servers and see the linux-firmware and microcode_ctl updates for Intel Downfall and AMD Zenbleed security vulnerabilities now now out of test repo into main repo AlmaLinux OS - Forever-Free Enterprise-Grade Operating System

On AlmaLinux 8 got these updates

Code (Text):

                               
  linux-firmware-20230404-114.git2e92a49f.el8_8.alma.1.noarch                               
  microcode_ctl-4:20220809-2.20230808.1.el8_8.alma.x86_64

On AlmaLinux 9 got these updates

Code (Text):

  linux-firmware-whence-20230310-134.el9_2.alma.1.noarch                                   
  microcode_ctl-4:20220809-2.20230808.1.el9_2.alma.noarch

From AlmaLinux instructions after update, to update the CPU microcode run the following or reboot the computer:

Code (Text):

echo 1 > /sys/devices/system/cpu/microcode/reload

using microcode reload echo command on AlmaLinux 8

Code (Text):

dmesg | egrep -iv 'firewall' | grep -C2 microcode
[12204821.506073] i2c i2c-2: sendbytes: NAK bailout.
[12214335.393522] i2c i2c-2: sendbytes: NAK bailout.
[12217429.885519] microcode: updated to revision 0xf4, date = 2023-02-23
[12217429.885566] x86/CPU: CPU features have changed after loading microcode, but might not take effect.
[12217429.885567] x86/CPU: Please consider either early loading through initrd/built-in or a potential BIOS update.
[12217429.885568] microcode: Reload completed, microcode revision: 0xf4

AlmaLinux 9 system didn't show anything in dmesg but does see auto applied microcode updates via command

Code (Text):

grep -i microcode /var/log/messages