Zenbleed and OpenSSH agent vulnerabilities and their impact on VyOS
Recently, two severe vulnerabilities were discovered by security researchers. One of them is nicknamed Zenbleed (CVE-2023-20593) and affects a number of AMD CPUs, the other one (CVE-2023-38408) affects OpenSSH. Both are potentially very serious but, luckily, don't affect most VyOS users. We will include fixes for them in our next releases, of course, and we can provide hotfix packages to people who need them now.
Zenbleed, described in this post, is a hardware vulnerability in a number of CPUs built upon the AMD Zen architecture. It's conceptually similar to now-famous Spectre and Meltdown bugs (although its causes and exploitation methods differ) — under certain circumstances, the CPU may leave data from an earlier operation instead of zeroing the register, and an attacker who can execute programs on the target machine can use that for data theft.
Since it can only be exploited locally, most VyOS installations shouldn't be concerned about it — if the attacker managers to get into your router, that is already a massive problem by itself.
However, since VyOS now supports running containers, for some users, it can certainly be a concern. AMD already released microcode updates for some of the affected CPUs; we can share a package with it. For several impacted CPUs, there are no updates yet, and they will only be available later this year.
There is a workaround that may incur a performance penalty. Unfortunately, it requires a msr-tools package not installed in VyOS now. Fortunately, that package has no dependencies other than GNU libc, so you can download it by hand from Debian and install with
dpkg -i, then apply the workaround command. We will make sure to include that package in future releases.
SSH agent vulnerability
The vulnerability discovered in OpenSSH allows a malicious server to execute arbitrary code on a vulnerable client when the client uses ssh-agent and has SSH agent forwarding enabled. Since VyOS doesn't use ssh-agent internally, there are no cases when the default configuration would be vulnerable.
If you use SSH agent forwarding, you can keep your system safe by not enabling it (which is the recommended and the default setting, anyway).
Thanks for reading!
That's all for now. Stay tuned for updates!