CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
35.1%
An issue in “Zen 2” CPUs, under specific microarchitectural circumstances,
may allow an attacker to potentially access sensitive information.
Author | Note |
---|---|
Priority reason: Allows a local attacker to read the contents of arbitrary processes, even across VM boundaries - PoC is publicly available. | |
alexmurray | In Ubuntu the linux-firmware source package does not ship the AMD microcode - instead this is contained within the amd64-microcode source package. There is also an associated patch for the Linux kernel to add a new chicken-bit which will automatically be set to enable a fallback workaround in the kernel in the case that the associated microcode is not available. Finally, the updates released by AMD on 2023-07-24 only cover Rome / Castle Peak and Mendocino designs - updates for consumer oriented designs like Matisse, Renoir etc are expected later in the year. This is not planned to be fixed for the amd64-microcode package in Ubuntu 14.04 as that release was already outside of the LTS timeframe when this hardware platform was launched. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | amd64-microcode | < 3.20191021.1+really3.20181128.1~ubuntu0.18.04.1+esm1 | UNKNOWN |
ubuntu | 20.04 | noarch | amd64-microcode | < 3.20191218.1ubuntu1.1 | UNKNOWN |
ubuntu | 22.04 | noarch | amd64-microcode | < 3.20191218.1ubuntu2.1 | UNKNOWN |
ubuntu | 23.04 | noarch | amd64-microcode | < 3.20220411.1ubuntu3.1 | UNKNOWN |
ubuntu | 23.10 | noarch | amd64-microcode | < 3.20230719.1ubuntu1 | UNKNOWN |
ubuntu | 24.04 | noarch | amd64-microcode | < 3.20230719.1ubuntu1 | UNKNOWN |
ubuntu | 16.04 | noarch | amd64-microcode | < 3.20191021.1+really3.20180524.1~ubuntu0.16.04.2+esm1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux | < 4.15.0-216.227 | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < 5.4.0-159.176 | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-82.91 | UNKNOWN |
github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8
launchpad.net/bugs/cve/CVE-2023-20593
lock.cmpxchg8b.com/zenbleed.html
lore.kernel.org/linux-firmware/[email protected]/T/#maa00a9e4b26bcdbf0370b24bdb082639ad0b8dd6
marc.info/?l=oss-security&m=169020885715049&w=2
nvd.nist.gov/vuln/detail/CVE-2023-20593
security-tracker.debian.org/tracker/CVE-2023-20593
ubuntu.com/security/notices/USN-6244-1
ubuntu.com/security/notices/USN-6315-1
ubuntu.com/security/notices/USN-6316-1
ubuntu.com/security/notices/USN-6317-1
ubuntu.com/security/notices/USN-6318-1
ubuntu.com/security/notices/USN-6321-1
ubuntu.com/security/notices/USN-6324-1
ubuntu.com/security/notices/USN-6325-1
ubuntu.com/security/notices/USN-6328-1
ubuntu.com/security/notices/USN-6329-1
ubuntu.com/security/notices/USN-6330-1
ubuntu.com/security/notices/USN-6331-1
ubuntu.com/security/notices/USN-6332-1
ubuntu.com/security/notices/USN-6342-1
ubuntu.com/security/notices/USN-6342-2
ubuntu.com/security/notices/USN-6346-1
ubuntu.com/security/notices/USN-6348-1
ubuntu.com/security/notices/USN-6357-1
ubuntu.com/security/notices/USN-6385-1
ubuntu.com/security/notices/USN-6397-1
ubuntu.com/security/notices/USN-6532-1
www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html
www.cve.org/CVERecord?id=CVE-2023-20593