First published 24 August 2023

CVSS 3.1: 5.6 (Medium)

CVSS: 3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Summary

A vulnerability named Inception has been discovered in some AMD CPUs. This affects the following IGEL Products

  • IGEL OS 12 running on specific AMD CPUs
  • IGEL OS 11 running on specific AMD CPUs

Details

It has been discovered that a local attacker could steal information from other users or VMs on the same system, or from the Linux kernel, on certain AMD processors. This vulnerability has been named Inception (CVE-2023-20569) and is rated as medium.

Such side channel threats mainly target environments with many VMs being hosted. This is not the case with IGEL OS. In addition, IGEL follows the general recommendation made by AMD in this case to prevent the execution of malware by keeping packages up to date and applying security policies through respective configuration.

Inception affects AMD’s Zen 3 and Zen 4 architectures, including Ryzen and Athlon processors. The new CVE.org site has a list at https://www.cve.org/CVERecord?id=CVE-2023-20569

AMD states that it is not aware of this vulnerability being exploited in the wild.

Update instructions

  • OS 12: Install a BIOS version containing a microcode fix for this issue. Alternatively, wait for IGEL OS Base System version 12.3.0 (scheduled for December 2023) and update to that.
  • OS 11: Install a BIOS version containing a microcode fix for this issue. Check whether you can utilize LVFS to deploy the update from UMS: https://kb.igel.com/igelos-11.08.330/en/bios-tools-88019317.html

References