CVE-2023-20593: 
NixOS vulnerability analysis and mitigation

CVE-2023-20593, also known as Zenbleed, is a hardware vulnerability discovered in AMD Zen2 processors that allows attackers to access sensitive information under specific microarchitectural circumstances. The vulnerability was discovered by Tavis Ormandy from Google Information Security and publicly disclosed on July 24, 2023. The issue affects multiple AMD processor families including AMD Ryzen 3000 Series, AMD Ryzen PRO 3000 Series, AMD Ryzen Threadripper 3000 Series, AMD Ryzen 4000/5000/7020 Series with Radeon Graphics, and AMD EPYC 'Rome' Processors (AMD Security Bulletin, Zenbleed Blog).

The vulnerability occurs when a VZEROUPPER instruction is discarded during speculative execution, causing incorrect handling of the vector register file's z-bit flag. This results in stale values from the physical vector register file, which is shared between sibling threads, becoming accessible. The bug specifically manifests when merge optimization, register rename, and a mispredicted VZEROUPPER instruction enter the FP backend simultaneously. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows attackers to spy on register contents across concurrent processes, hyperthreads, and virtualized guests without requiring system calls or special privileges. It can be exploited to leak sensitive information such as encryption keys and passwords as users log in. The exploit is capable of leaking about 30 kb per core per second, making it fast enough to monitor encryption keys and passwords in real-time (Zenbleed Blog).

AMD has released microcode updates to address the vulnerability, though initially only for 2nd Gen EPYC processors. For systems without available microcode updates, a software workaround exists by setting the chicken bit DE_CFG[9], which may have some performance impact. This can be done using msr-tools on Linux systems. Disabling SMT (Simultaneous Multi-Threading) is not sufficient to mitigate the vulnerability (Xen Advisory, AMD Security Bulletin).

The security community has expressed concern about AMD's response to the vulnerability, particularly regarding the timeline for fixes. While EPYC processors received immediate patches, other affected processors including consumer Ryzen chips were scheduled for updates between October and December 2023. This was described as "a disaster of a security announcement from AMD" by security researchers, as it left many systems vulnerable for an extended period (OSS Security List).