Search the Community

AMD and Intel have both released a host of patches fixing some serious security issues affecting their respective hardware offerings. First up, AMD has found and fixed four vulnerabilities that were plaguing different versions of its Zen-based CPUs. The vulnerabilities allow threat actors to, among other things, run malicious code on the targeted devices - but while the company did address the flaws by releasing patches, the fixes are yet to reach all users. Fixing Zenbleed The flaws AMD found affect different CPUs (they don’t always overlap). However, they all compromise the security of the SPI interface, which connects to the flash chip that stores the BIOS. The vulnerabilities are tracked as CVE-2023-20576, CVE-2023-20577, CVE-2023-20579, and CVE-2023-20587, and are all rated as “high severity”. In theory, a threat actor would be able to abuse these flaws to mount denial of service attacks, to escalate privileges, and execute arbitrary code, which could result in complete endpoint takeover. The silver lining here is that the attackers would need to have local access to the vulnerable system. The flaws affected both original Zen chips and the latest Zen 4 processors, and many of the variants in between. The full list of affected chips, and the patches, can be found on AMD’s advisory published earlier this week. AMD patched the flaws by issuing a new version of AGESA, the base code for motherboard BIOS. The new version for Zen 2-based chips also patch Zenbleed. To get the new AGESA versions, new BIOS needs to be deployed to the users, so even though new AGESA is technically available, it doesn’t mean all motherboards can be updated straight away. AMD credited Enrique Nissim, Krzysztof Okupski, and Joseph Tartaro of IOActive for the discovery and reporting of these issues, although it added that “some of the findings were made on PCs running outdated firmware or software”. It urged all customers to apply the patches as soon as possible and recommended they follow security best practices to remain secure. Intel patches three dozen flaws At the same time, Intel patched almost three dozen different vulnerabilities, affecting various software and firmware. In total, 32 bugs were for software, impacting different chipset drivers, Wi-Fi, and other components. The remaining two bugs were software and firmware flaws affecting Thunderbolt. The software issue, affecting Thunderbolt drivers, was particularly worrying as it encompassed 20 different exploits that could allow threat actors to escalate privileges, perform denial of service attacks, and steal data. Of the 20, three are “high severity”. A sliver of good news is that the majority of the 20 Thunderbolt drivers require local access to the device. The bad news is that in order to address all of the flaws, users need to update every software and firmware listed by Intel, separately. Via Tom’s Hardware More from TechRadar Pro Some top AMD chips have a major security flawHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Zen-based CPUs are vulnerable to four newly disclosed bugs, according to AMD, and you'll need to update your BIOS to become secure. View the full article

On 24 July 2023, security researchers from Google’s Information Security Engineering team disclosed a hardware vulnerability affecting AMD’s Zen 2 family of microprocessors. They dubbed this vulnerability “Zenbleed” (CVE-2023-20593), evoking memories of previous vulnerabilities like HeartBleed and hinting at its possible impact. In response, AMD released an associated microcode update for some of the affected processors, which was then released to all affected Ubuntu users within 24 hours of the original announcement. In this blog post, we look at some of the details behind the vulnerability and the response of the Ubuntu Security team. What is Zenbleed, and who is affected? Zenbleed is a vulnerability in the handling of certain vector registers within the Zen 2 family of AMD processors. In particular, it involved the incorrect handling of the vzeroupper instruction when being executed speculatively. This is not the first vulnerability related to speculative execution. The most famous ones were Spectre and Meltdown, announced in early 2018. However, unlike those vulnerabilities, this time it is not a case of being able to infer the state of a hardware register or similar via speculative execution. Instead, Zenbleed is the result of the processor not properly cleaning up state after performing a speculative execution of the vzeroupper instruction, allowing a local attacker to read stale data from the vector registers of other threads or processes on the system (even across virtual machine boundaries). This hardware fault affects all processors within the AMD Zen 2 family, from the server oriented EPYC line, to the Ryzen and Threadripper 3000 series for desktops, Ryzen 4000U/H and 5000U series for laptops and more. The full list of affected devices is listed below: AMD Ryzen 3000 Series ProcessorsAMD Ryzen PRO 3000 Series ProcessorsAMD Ryzen Threadripper 3000 Series ProcessorsAMD Ryzen 4000 Series Processors with Radeon GraphicsAMD Ryzen PRO 4000 Series ProcessorsAMD Ryzen 5000 Series Processors with Radeon GraphicsAMD Ryzen 7020 Series Processors with Radeon GraphicsAMD EPYC “Rome” Processors Given the popularity of these processors and the large number of affected families spanning various form-factors and use-cases, this likely affects a large number of Ubuntu Desktop and Server users. To remediate this issue, AMD announced both a hardware fix (using updated CPU microcode to patch the CPU instruction set at runtime) and a software workaround. The microcode-based hardware fix from AMD ensures the vzeroupper instruction does not leak information when speculatively executed and has no perceivable performance impact. However, this microcode update is only applicable for the server-oriented EPYC line of processors. For the desktop and laptop-oriented lines, a BIOS firmware update is planned for release later in the year.The software workaround, however, applies to all affected processors, and is enabled within the Linux kernel itself. In this case, the kernel automatically instructs the processor to not speculatively execute the vzeroupper instruction if there is no microcode fix applied. As such, this may slightly impact performance by reducing the throughput of the processor instruction pipeline in these cases. How does Ubuntu make you secure? USN-6244-1 was released on 25 July 2023, which included the updated microcode within the amd64-microcode package. The associated Linux kernel patches were released across the various kernels for affected versions of Ubuntu, starting with USN-6315-1 for the generic kernel in Ubuntu 22.04 LTS – this was released on 29 August 2023. The delay between the initial microcode release and the Linux kernel releases in Ubuntu was due to a number of factors, primarily because of the increased testing and validation which is required for Ubuntu kernel updates. For each Ubuntu release, the Linux kernel consists of a number of different variants targeted for a range of hardware platforms or deployment scenarios. Each of these needs to be independently tested and verified before the release can be made. Also, each kernel release includes a range of security and bug fix updates, each of which requires additional validation across each of these platforms. To mitigate this vulnerability, the software workaround was documented alongside the CVE within the Ubuntu CVE Tracker, allowing affected users and customers to easily determine if they were affected and manually apply this workaround until the updated kernel packages were released. Find out if you’re affected To discover if you are affected, you can run the pro fix command: pro fix CVE-2023-20593 This will explain if the local system is affected and whether any related software updates have been installed or not. To ensure that security updates are installed automatically, Ubuntu comes preconfigured with unattended-upgrades which automatically checks for, and installs, any relevant security updates for the installed packages. If you have disabled this feature, consider re-enabling it for added peace-of-mind. Who is covered? The fix is available out of the box for Ubuntu 20.04 LTS and newer (including the 23.04 interim release). For Ubuntu 18.04 LTS and 16.04 LTS, the update is available with an Ubuntu Pro subscription, which provides access to Expanded Security Maintenance for the main OS and over 30,000 packages in the Universe repository. Ubuntu Pro is free for personal use on up to five machines and comes with additional security and patching automation features. More information is available at ubuntu.com/pro. View the full article