ISN 2023-15: ZenBleed Vulnerability
First published 28 July 2023
CVSS 3.1: 6.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
A vulnerability called ZenBleed has been discovered in the line of “Zen 2” CPUs from AMD. This affects the following IGEL Products
- IGEL OS 12 running on AMD CPUs
- IGEL OS 11 running on AMD CPUs
Details
ZenBleed (CVE-2023-20593) is a medium risk (6.5 CVSS score) vulnerability, which can allow local attackers with the ability to run arbitrary code within the local machine/VM to infer CPU register content from another process in the same instance scheduled on the same core. This could potentially leak sensitive information. Google’s Project Zero security team has confirmed that this vulnerability is reproducible on at least the following SKUs:
- AMD Ryzen Threadripper PRO 3945WX 12-Cores
- AMD Ryzen 7 PRO 4750GE with Radeon Graphics
- AMD Ryzen 7 5700U
- AMD EPYC 7B12
Update Instructions
- OS 12: Update the IGEL OS Base System app to version 12.02.100 (available in September 2023)
- OS 11: Update to OS 11.09.100 (available in September 2023)
References
- Vulnerability write-up by Tavis Ormandy (Google): https://lock.cmpxchg8b.com/zenbleed.html
- Google’s Project Zero Disclosure: https://github.com/google/security-research/tree/master/pocs/cpus/zenbleed