EGI SVG Advisories

Advisory-SVG-CVE-2023-20593

Title:   EGI SVG 'ALERT' [TLP:CLEAR] Zenbleed (CVE-2023-20593) 

Date:    2023-07-26
Updated: 2023-08-15, 2023-09-21, 2023-09-22, 2024-02-16

Affected software and risk
==========================

A speculative execution vulnerability has been discovered in AMD Zen 2 CPUs.
This vulnerability has been dubbed "Zenbleed".    [R 1]
A malicious actor could steal sensitive data, such as passwords and encryption keys,
resident in the CPU cores. Sensitive data could be extracted from any system operations,
including those that take place in virtual machines, isolated sandbox environments,
and containers. Even a malicious webpage, running some carefully crafted JavaScript,
could exploit Zenbleed to snoop on information.

We note that some sites are using AMD Zen 2 (e.g. EPYC Rome) CPUs, therefore are
alerting sites to this problem. We do not know how easy or difficult it actually is to
exploit this problem across EGI, but please see the "More information" section below.

Actions required/recommended
============================

**UPDATE 2023-09-21**

Updates from Red Hat are also now available. [R 7]

**Correction 2023-09-22 ** but at present the firmware is
not available for RHEL7. 

Sites using AMD Zen 2 CPUs are recommended to apply vendor updates and if not
available consider mitigation.

**UPDATE 2024-02-16**

Furhter Updates have been made available over the last few months since the
previous update, including for RHEL7.  

Component installation information
==================================

Sites should see information from their vendor.
Updates relating to RHEL8 and RHEL9 are also available [R 7]

Mitigation
==========

An option for mitigation is available at [R 2]

More information
================

One colleague has tested an exploit, and was able to make it work, as well
as the documented mitigation.

An excellent description and information on mitigation is provided by
trustedci at [R 3]

More information is available at [R 2], [R 4], [R 5]

**UPDATE 2023-08-15 further reference added**

Also see information from Dell [R 6]

TLP and URL
===========

** CLEAR information - Unlimited distribution - see
https://confluence.egi.eu/display/EGIG/Traffic+Light+Protocol
for distribution restrictions**   

URL:   https://advisories.egi.eu/Advisory-SVG-CVE-2023-20593   

Minor updates may be made without re-distribution to the sites.


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant
to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]. 

References
==========

[R 1] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

[R 2] https://lock.cmpxchg8b.com/zenbleed.html
    
[R 3] https://groups.google.com/a/trustedci.org/g/cv-announce/c/nzTrEJb1ypY
    
[R 4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593 

[R 5] https://undeadly.org/cgi?action=article;sid=20230724224011

[R 6] https://www.dell.com/support/kbdoc/en-uk/000216119/dsa-2023-209-security-update-for-dell-amd-based-poweredge-server-vulnerabilities

[R 7] https://access.redhat.com/security/cve/CVE-2023-20593


[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867

Credit
======

SVG was alerted to this vulnerability by Raul Lopes

Timeline  
========
Yyyy-mm-dd  [EGI-SVG-CVE-2023-20593]

2023-07-25 SVG alerted to this issue by Raul Lopes
2023-07-26 Investigation of vulnerability and relevance to EGI carried out 
2023-07-26 Decided to send an 'Alert' to sites
2023-09-21 Updated 'Alert' on advisories.egi.eu as RHEL8 and RHEL9 updates available
2024-02-16 Updated 'Alert' on advisories.egi.eu as more updates available
           including for RHEL7

Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose  "To minimize the risk to the EGI infrastructure arising from
software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue
handling procedure [R 99]  in the context of how the software is used in
the EGI infrastructure. It is the opinion of the group, we do not guarantee
it to be correct. The risk may also be higher or lower in other deployments
 depending on how the software is used.   

-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/ and 
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. 
------------------------------

Note that the SVG issue handling procedure has recently been modified,
to take account of the increasing inhomogeneity of the EGI infrastructure and
speed up the procedure for publicly announced vulnerabilities.  
Changes are in the process of being implemented.

On behalf of the EGI SVG,