AMD 'Zenbleed' vulnerability

crunchbits

Had a few pings about this (thank you!), haven't seen any mention on here but I know plenty of providers/users running Zen2 stuff.

Quick blog update from us

Seems like a pretty serious bug, and the exploit is public. Information will likely change often so don't hold my feet to the flame too hard--just trying to raise awareness so nobody wakes up to a wiped server.

jar

Now where are all of the "If they don't use AMD processors they can't be trusted" (paraphrased) crowd. I swear I recall a bunch of people acting like that, might have even been me.

crunchbits

@jar said:
Now where are all of the "If they don't use AMD processors they can't be trusted" (paraphrased) crowd. I swear I recall a bunch of people acting like that, might have even been me.

I missed this, but can definitely imagine it. Luckily we've been a bi-curious CPU shop for awhile.

Samidare

Fix #5 for providers
Upgrade to zen3 for free

jar

@crunchbits said:

@jar said:
Now where are all of the "If they don't use AMD processors they can't be trusted" (paraphrased) crowd. I swear I recall a bunch of people acting like that, might have even been me.

I missed this, but can definitely imagine it. Luckily we've been a bi-curious CPU shop for awhile.

I've almost phased them all out for Intel boxes again. Mitigations have proven acceptable and it's still easier to get slightly aged systems lying around.

rattlecattle

From Tavis Ormandy awesome research!
https://lock.cmpxchg8b.com/zenbleed.html

PulsedMedia

Proxmox doesn't seem to have mitigation out yet, hopefully very soon.

PulsedMedia

This technique is CVE-2023-20593 and it works on all Zen 2 class processors, which includes at least the following products:

AMD Ryzen 3000 Series Processors
AMD Ryzen PRO 3000 Series Processors
AMD Ryzen Threadripper 3000 Series Processors
AMD Ryzen 4000 Series Processors with Radeon Graphics
AMD Ryzen PRO 4000 Series Processors
AMD Ryzen 5000 Series Processors with Radeon Graphics
AMD Ryzen 7020 Series Processors with Radeon Graphics
AMD EPYC “Rome” Processors

We have very few Zen2. Zen1, Zen3 sure, but not many Zen2.

Abd

Thanks.

mxmla

@PulsedMedia said:
Proxmox doesn't seem to have mitigation out yet, hopefully very soon.

Debian released the microcode update for sid a few hours ago: https://packages.debian.org/sid/amd64-microcode

You can just download it, install it and reboot. Worked flawlessly on all our Servers.

wdmg

@PulsedMedia said:

This technique is CVE-2023-20593 and it works on all Zen 2 class processors, which includes at least the following products:

AMD Ryzen 3000 Series Processors
AMD Ryzen PRO 3000 Series Processors
AMD Ryzen Threadripper 3000 Series Processors
AMD Ryzen 4000 Series Processors with Radeon Graphics
AMD Ryzen PRO 4000 Series Processors
AMD Ryzen 5000 Series Processors with Radeon Graphics
AMD Ryzen 7020 Series Processors with Radeon Graphics
AMD EPYC “Rome” Processors

We have very few Zen2. Zen1, Zen3 sure, but not many Zen2.

Yeah there's not much, just a few of them (83 listed): https://en.wikichip.org/wiki/amd/microarchitectures/zen_2#All_Zen_2_Chips

Even this list is missing a few chips.

PulsedMedia

@wdmg said:

@PulsedMedia said:

This technique is CVE-2023-20593 and it works on all Zen 2 class processors, which includes at least the following products:

AMD Ryzen 3000 Series Processors
AMD Ryzen PRO 3000 Series Processors
AMD Ryzen Threadripper 3000 Series Processors
AMD Ryzen 4000 Series Processors with Radeon Graphics
AMD Ryzen PRO 4000 Series Processors
AMD Ryzen 5000 Series Processors with Radeon Graphics
AMD Ryzen 7020 Series Processors with Radeon Graphics
AMD EPYC “Rome” Processors

We have very few Zen2. Zen1, Zen3 sure, but not many Zen2.

Yeah there's not much, just a few of them (83 listed): https://en.wikichip.org/wiki/amd/microarchitectures/zen_2#All_Zen_2_Chips

Even this list is missing a few chips.

obv i meant servers we have installed and in production, not in general what Zen2 products is out there ...

DataIdeas-Josh

@PulsedMedia said:
Proxmox doesn't seem to have mitigation out yet, hopefully very soon.

Correct however can do this. (Note: I've heard will have to do this every time a reboot is issued)

apt install msr-tools
modprobe msr
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))

If follow the OPs guide you will get the following error.

# wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
rdmsr: open: No such file or directory
-bash: | (1<<9): syntax error: operand expected (error token is "| (1<<9)")

Here has been the thread from Proxmox over the issue.
https://forum.proxmox.com/threads/zenbleed-cve-2023-20593.131164

DataIdeas-Josh

@mxmla said:

@PulsedMedia said:
Proxmox doesn't seem to have mitigation out yet, hopefully very soon.

Debian released the microcode update for sid a few hours ago: https://packages.debian.org/sid/amd64-microcode

You can just download it, install it and reboot. Worked flawlessly on all our Servers.

I wonder how long it will take for them to push it out via repo

NetDynamics24

Ubuntu 22 released an update for this.

crunchbits

@mxmla said:
Debian released the microcode update for sid a few hours ago: https://packages.debian.org/sid/amd64-microcode

You can just download it, install it and reboot. Worked flawlessly on all our Servers.

@NetDynamics24 said:
Ubuntu 22 released an update for this.

Awesome, will update with this info.

NetDynamics24

@crunchbits said:

Awesome, will update with this info.

Here is a screenshot:
https://prnt.sc/L7PWjS8zahVs

DataIdeas-Josh

Hmm... possible attack via browser???
https://blog.cloudflare.com/zenbleed-vulnerability/

cybertech

@jar said:
Now where are all of the "If they don't use AMD processors they can't be trusted" (paraphrased) crowd. I swear I recall a bunch of people acting like that, might have even been me.

AMD ftw.