ISN 2023-17: AMD Inception CPU Vulnerability
First published 24 August 2023
CVSS 3.1: 5.6 (Medium)
CVSS: 3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
A vulnerability named Inception has been discovered in some AMD CPUs. This affects the following IGEL Products
IGEL OS 12 running on specific AMD CPUs
IGEL OS 11 running on specific AMD CPUs
Details
It has been discovered that a local attacker could steal information from other users or VMs on the same system, or from the Linux kernel, on certain AMD processors. This vulnerability has been named Inception (CVE-2023-20569) and is rated as medium.
Such side channel threats mainly target environments with many VMs being hosted. This is not the case with IGEL OS. In addition, IGEL follows the general recommendation made by AMD in this case to prevent the execution of malware by keeping packages up to date and applying security policies through respective configuration.
Inception affects AMD’s Zen 3 and Zen 4 architectures, including Ryzen and Athlon processors. The new CVE.org site has a list at https://www.cve.org/CVERecord?id=CVE-2023-20569
AMD states that it is not aware of this vulnerability being exploited in the wild.
Update instructions
OS 12: Install a BIOS version containing a microcode fix for this issue. Alternatively, wait for IGEL OS Base System version 12.3.0 (scheduled for December 2023) and update to that.
OS 11: Install a BIOS version containing a microcode fix for this issue. Check whether you can utilize LVFS to deploy the update from UMS: IGEL OS > IGEL OS Articles > BIOS Tools
References
ETH Zurich COMSEC, “Inception: how a simple XOR can cause a Microarchitectural Stack Overflow”: https://comsec.ethz.ch/research/microarch/inception/
AMD Return Address Security Bulletin (AMD-SB-7005): https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html
CVE-2023-20569: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569
CVE-2023-20569 (new site): https://www.cve.org/CVERecord?id=CVE-2023-20569