On 24 July 2023, security researchers from Google’s Information Security Engineering team disclosed a hardware vulnerability affecting AMD’s Zen 2 family of microprocessors. They dubbed this vulnerability “Zenbleed” (CVE-2023-20593), evoking memories of previous vulnerabilities like HeartBleed and hinting at its possible impact. In response, AMD released an associated microcode update for some of the affected processors, which was then released to all affected Ubuntu users within 24 hours of the original announcement. In this blog post, we look at some of the details behind the vulnerability and the response of the Ubuntu Security team.
What is Zenbleed, and who is affected?
Zenbleed is a vulnerability in the handling of certain vector registers within the Zen 2 family of AMD processors. In particular, it involved the incorrect handling of the vzeroupper
instruction when being executed speculatively. This is not the first vulnerability related to speculative execution. The most famous ones were Spectre and Meltdown, announced in early 2018. However, unlike those vulnerabilities, this time it is not a case of being able to infer the state of a hardware register or similar via speculative execution. Instead, Zenbleed is the result of the processor not properly cleaning up state after performing a speculative execution of the vzeroupper
instruction, allowing a local attacker to read stale data from the vector registers of other threads or processes on the system (even across virtual machine boundaries).
This hardware fault affects all processors within the AMD Zen 2 family, from the server oriented EPYC line, to the Ryzen and Threadripper 3000 series for desktops, Ryzen 4000U/H and 5000U series for laptops and more. The full list of affected devices is listed below:
- AMD Ryzen 3000 Series Processors
- AMD Ryzen PRO 3000 Series Processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series Processors
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7020 Series Processors with Radeon Graphics
- AMD EPYC “Rome” Processors
Given the popularity of these processors and the large number of affected families spanning various form-factors and use-cases, this likely affects a large number of Ubuntu Desktop and Server users.
To remediate this issue, AMD announced both a hardware fix (using updated CPU microcode to patch the CPU instruction set at runtime) and a software workaround. The microcode-based hardware fix from AMD ensures the vzeroupper
instruction does not leak information when speculatively executed and has no perceivable performance impact. However, this microcode update is only applicable for the server-oriented EPYC line of processors. For the desktop and laptop-oriented lines, a BIOS firmware update is planned for release later in the year.The software workaround, however, applies to all affected processors, and is enabled within the Linux kernel itself. In this case, the kernel automatically instructs the processor to not speculatively execute the vzeroupper
instruction if there is no microcode fix applied. As such, this may slightly impact performance by reducing the throughput of the processor instruction pipeline in these cases.
How does Ubuntu make you secure?
USN-6244-1 was released on 25 July 2023, which included the updated microcode within the amd64-microcode package. The associated Linux kernel patches were released across the various kernels for affected versions of Ubuntu, starting with USN-6315-1 for the generic kernel in Ubuntu 22.04 LTS – this was released on 29 August 2023. The delay between the initial microcode release and the Linux kernel releases in Ubuntu was due to a number of factors, primarily because of the increased testing and validation which is required for Ubuntu kernel updates. For each Ubuntu release, the Linux kernel consists of a number of different variants targeted for a range of hardware platforms or deployment scenarios. Each of these needs to be independently tested and verified before the release can be made. Also, each kernel release includes a range of security and bug fix updates, each of which requires additional validation across each of these platforms.
To mitigate this vulnerability, the software workaround was documented alongside the CVE within the Ubuntu CVE Tracker, allowing affected users and customers to easily determine if they were affected and manually apply this workaround until the updated kernel packages were released.
Find out if you’re affected
To discover if you are affected, you can run the pro fix
command:
pro fix CVE-2023-20593
This will explain if the local system is affected and whether any related software updates have been installed or not. To ensure that security updates are installed automatically, Ubuntu comes preconfigured with unattended-upgrades which automatically checks for, and installs, any relevant security updates for the installed packages. If you have disabled this feature, consider re-enabling it for added peace-of-mind.
Who is covered?
The fix is available out of the box for Ubuntu 20.04 LTS and newer (including the 23.04 interim release). For Ubuntu 18.04 LTS and 16.04 LTS, the update is available with an Ubuntu Pro subscription, which provides access to Expanded Security Maintenance for the main OS and over 30,000 packages in the Universe repository. Ubuntu Pro is free for personal use on up to five machines and comes with additional security and patching automation features. More information is available at ubuntu.com/pro.