Security Information / 2023 / Security Information -- DSA-5459-1 amd64-microcode

Debian Security Advisory

DSA-5459-1 amd64-microcode -- security update

Date Reported:

25 Jul 2023

Affected Packages:

amd64-microcode

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 1041863.
In Mitre's CVE dictionary: CVE-2023-20593.

More information:

Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in Zen 2 CPUs may not be written to 0 correctly. This flaw allows an attacker to leak register contents across concurrent processes, hyper threads and virtualized guests.

For details please refer to https://lock.cmpxchg8b.com/zenbleed.html https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8

The initial microcode release by AMD only provides updates for second generation EPYC CPUs: Various Ryzen CPUs are also affected, but no updates are available yet. Fixes will be provided in a later update once they are released.

For more specific details and target dates please refer to the AMD advisory at https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

For the oldstable distribution (bullseye), this problem has been fixed in version 3.20230719.1~deb11u1. Additionally the update contains a fix for CVE-2019-9836.

For the stable distribution (bookworm), this problem has been fixed in version 3.20230719.1~deb12u1.

We recommend that you upgrade your amd64-microcode packages.

For the detailed security status of amd64-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/amd64-microcode