How can I tell if my server was affected by Zenbleed?

Linode Staff

How can I check if my server was affected by the Zenbleed vulnerability? Is there anything I need to do to ensure my server is protected?

2 Replies

We recently announced the disclosure and successful mitigation of the AMD CPU Zenbleed security vulnerability. While Akamai Cloud computing systems are no longer vulnerable to Zenbleed, you may wish to take additional steps depending on the nature of the services on your server.

This post details how you can use the Linux command line to determine if your server is running on a Zen 2 CPU that was affected by Zenbleed. There are two options: check /proc/cpuinfo or install and run cpuid.

Option 1: check /proc/cpuinfo

The /proc/cpuinfo file will tell you which CPU your server last booted on. Simply run cat /proc/cpuinfo to see the contents of the file. AMD EPYC 7542, 7642, 7702, and 7F72 are the Zen 2 CPU models used in our fleet:

$ cat /proc/cpuinfo
processor    : 0
vendor_id    : AuthenticAMD
cpu family    : 23
model        : 49
model name    : AMD EPYC 7642 48-Core Processor

Option 2: install cpuid

The cpuid command allows you to query the Linux kernel for information about the CPU on which your system is currently running (as opposed to the CPU you last booted on). You may need to install cpuid with your distribution’s package manager before proceeding.

Note that cpuid may not report the correct CPU model name on CentOS 7. CentOS 6/7 users should use /proc/cpuinfo.

Debian/Ubuntu installation instructions

apt update
apt install cpuid -y

CentOS 8/9 installation instructions

# Enable the EPEL repo if it’s not already installed
yum install epel-release

# Install cpuid

yum update
yum install cpuid -y

Once installed, simply type cpuid from the command line to inspect your server’s currently running CPU. Servers running on AMD Zen 2 CPUs are running on hosts that were vulnerable to Zenbleed:

cpuid output on a vulnerable (Zen 2) CPU:

CPU 0:
   vendor_id = "AuthenticAMD"
   version information (1/eax):
      processor type  = primary processor (0)
      family          = 0xf (15)
      model           = 0x1 (1)
      stepping id     = 0x0 (0)
      extended family = 0x8 (8)
      extended model  = 0x3 (3)
      (family synth)  = 0x17 (23)
      (model synth)   = 0x31 (49)
      (simple synth)  = AMD (unknown type) (Castle Peak/Rome B0) [Zen 2], 7nm

My server was on a vulnerable (Zen 2) CPU. What can I do?

Customers who discover they were running on vulnerable Zen 2 CPUs may wish to rotate any secrets stored on their server, such as TLS private keys, API keys or other application secrets, application user passwords, or SSH keys. The exact details of what you may need to rotate will depend on the nature of the services running on your server.

cat /proc/cpuinfo | grep -P "7542|7642|7702|7F72"

You're welcome.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct