Securing Your CloudLinux Server: Mitigating New Intel and AMD CPU Vulnerabilities

Since the recent updates on Zenbleed Vulnerability patching by the CloudLinux team, we’re back with another update on cybersecurity issues. This time, we’re dealing with the recent security vulnerabilities affecting Intel and AMD CPUs. CloudLinux is already on the case, and we’re here to guide you through the necessary actions to keep your systems safe.

Understanding the Threats

Earlier this week, the tech community buzzed with reports of two new vulnerabilities that put Intel and AMD CPUs at risk: CVE-2023-20569 and CVE-2022-40982 (Downfall). Let’s break down what they mean in simpler terms.

  1. CVE-2023-20569: A Vulnerability in AMD CPUs’ Predictive Processing

    This vulnerability affects some AMD CPUs and is all about speculative execution. On certain AMD CPUs, a potential vulnerability could grant attackers the ability to manipulate return address predictions. This manipulation could trigger speculative execution at an address controlled by the attacker, potentially resulting in the disclosure of sensitive information. 

    For a comprehensive explanation, you can find the detailed description here.

  2. CVE-2022-40982 (Downfall): A Vulnerability Revealing Intel CPU Data

    Intel processors are the target here. It is a Gather Data Sampling (GDS) transient execution side-channel vulnerability which might enable a local attacker to utilize gather instructions (memory loading) to deduce outdated information from vector registers that were previously used on the same physical core

    For an in-depth understanding, you can access the detailed description here.

Mitigation guide

Moving forward, the CloudLinux team is already working on solutions to address these vulnerabilities, and here are the mitigation steps for prompt execution.

Mitigating CVE-2023-20569

If you’re on CloudLinux 7 or CloudLinux 7h, it’s as simple as updating your linux-firmware package from a Beta chanel by running the following commands:

    • For CL7:
      yum install linux-firmware –enablerepo=cloudlinux-update-testing
    • For CL7h:
      yum install linux-firmware --enablerepo=cl7h_beta

For CloudLinux 8 and CloudLinux 9 mitigating the vulnerability involves installing the latest CPU microcode, which is accessible through AlmaLinux’s upcoming release of the “linux-firmware package”. We will inform you as soon as this updated linux-firmware package becomes accessible in CloudLinux. And for now, you are welcome to join the AlmaLinux public testing group and download the packages already available for tests, via the following links:

      • CL8: Download here
      • CL9: Download here
      • Then update the CPU microcode run the following command:

        echo 1 > /sys/devices/system/cpu/microcode/reload


Mitigating CVE-2022-40982 (Dawnfall)

For those in the CloudLinux 7 and CloudLinux 7h club, you’ll want to update your “microcode_ctl” package from the Beta channel with the following links:

      • For CL7:
        yum install microcode_ctl –enablerepo=cloudlinux-update-testing
      • For CL7h:
        yum install microcode_ctl --enablerepo=cl7h_beta

For users of CloudLinux 8 and CloudLinux 9 versions, the vulnerability can be addressed by installing the forthcoming CPU microcode update. This update will soon become available in an upcoming release of AlmaLinux’s microcode_ctl package. There is also an option already download the update manually from AlmaLinux public testing repositories:

echo 1 > /sys/devices/system/cpu/microcode/reload

Wrap Up

Updating your server‘s firmware and microcode might seem complex, but it’s worth it. These actions act as shields against potential attacks. Remember, CloudLinux supports you through the process. 

In summary, this guide covers recent Intel and AMD CPU vulnerabilities with CloudLinux’s protective measures. Stay tuned for more updates on this topic! 🛡️🔒