Mitigating AMD EPYC “Zenbleed” Vulnerability – Understanding and Taking Action

We are writing this post in response to a customer query about the newly identified vulnerability, CVE-2023-20593, also known as “Zenbleed.” This vulnerability affects specific Zen AMD processors which – of course – some of our customers are running.  As always, we at Hivelocity are committed to your security, so in this post we’ll be providing some critical information about the vulnerability and the steps to take to ensure your data remains secured.

The Zenbleed Vulnerability: An Overview

Zenbleed is a use-after-free vulnerability related to the improper handling of an instruction pointer, ‘vzeroupper’, during speculative execution in certain AMD processors. To put it in simpler terms, under certain conditions, a register in “Zen 2” CPUs may not be correctly zeroed. This could potentially allow an attacker to access sensitive information.

Affected Versions:

This vulnerability affects the following processors:

• AMD Ryzen 3000 Series
• AMD Ryzen PRO 3000 Series
• AMD Ryzen Threadripper 3000 Series
• AMD Ryzen 4000 Series with Radeon Graphics
• AMD Ryzen PRO 4000 Series
• AMD Ryzen 5000 Series with Radeon Graphics
• AMD Ryzen 7020 Series with Radeon Graphics
• AMD EPYC “Rome” Processors

How to Determine Vulnerability

You can check if your server is vulnerable by following the PoC (Proof of Concept) write-up available on GitHub: Zenbleed PoC Writeup.

We’ve included a brief overview of the necessary steps below:

1. Install dependencies
2. Download the Zenbleed vulnerability test
3. Compile and run the test
4. Generate traffic if your server isn’t busy
5. Check the results

A server showing vulnerability to Zenbleed should produce results similar to this tweet.

Patching the Vulnerability

For Ubuntu and Debian users, updates have been released for a microcode patch of the Zenbleed vulnerability:

• Ubuntu users can follow the instructions in this advisory and update the system accordingly.
• Debian users can refer to this advisory and apply the necessary updates.

Our Security team is working closely with Supermicro to get a BIOS firmware update available for all of client’s as well. When we have this patch we will amend this post to include links to it as well.

We understand the severity of this situation and are doing everything we can to mitigate any potential risks. For more information about the Zenbleed vulnerability, we recommend the detailed write-up by lock.cmpxchg8b.com and the kernel patch on git.kernel.org.

To stay up to date on new Operating Systems and BIOS patches follow us on twitter.

We appreciate your patience and understanding as we navigate this situation together. As always, we’re here to answer any questions and concerns you might have. Please do not hesitate to get in touch.

Hivelocity, as always, committed to your success and security.