Zenbleed: How to quickly and easily fix AMD CPU 0-day Exploit

Eric

2 min read
hackerman coming to make your zenbleed


[UPDATE 7/26/2023]: Debian (sid) has added amd64-microcode update.
This would be a slightly better fix than using the chicken bit in the below methods as it has a little less of a performance hit. To install it, make sure you have the security repo added and then run the following commands:

apt update
apt install amd64-microcode

AlmaLinux has also released a similar microcode patch for AlmaLinux 8 and 9 and is asking for testers.

Ubuntu has its amd64-microcode packages out for Jammy and Focal as well.

I'll keep this short and directly to the point. If you're unaware, AMD Zenbleed is a 0-day exploit that affects all Zen 2 class processors. It will allow a malicious third party to effectively spy on operations happening anywhere on the system. Regardless of your setup: VMs, sandboxes, containers, processes, etc you are not safe.

As of writing this article, there are 2 (sort of 3) fixes that are out.

Fix #1: chicken bit

First, install msr-tools on your OS

Then run the following command:

wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))

That should be it. If for some reason that doesn't work for you, or you don't want to have this fix permanently applied forever then read on for fix #2. There is supposedly a performance hit when using this fix, so you ideally only want to have it as a temporary measure until a permanent fix is ready.

Fix #2: update kernel

Update your linux kernel to the newest stable (6.4.6 at time of writing) and you'll get the chicken bit automatically applied if your CPU is vulnerable and doesn't have an updated microcode. Updated microcode was released by AMD for EPYC line, but not Ryzens. More detail on that in Fix #3.

Kernel 6.4.6 Zenbleed fix commit

Fix #3: update CPU microcode

AMD released a microcode update for EPYC CPUs, however as of now none of the systems we run have had their BIOS patched and updated to include this. If you're running a Ryzen CPU the expected ETA is Q4 for a fix. Additionally, I expect this will take some time for board manufacturers to roll out BIOS updates so you're almost certainly going to need to use fix #1 or #2. Fix #2 is likely the best method as it will automatically detect when you have an updated microcode/protected CPU and then not apply the chicken bit. However, not everyone is on (or wants to be on) kernel 6.x yet so you'll need to go with fix #1 for the time being.

Fix #4: shameless plug

If you need a VPS or VDS that is protected from this exploit, check us out :)