The INCEPTION Vulnerability affecting AMD’s Zen 3 and Zen 4 CPUs (CVE-2023-20569)
Some information found in this blog post has been sourced from an AMD security bulletin as well as a Phoronix article covering a speculative side-channel attack termed “INCEPTION.”
Shortly after Zenbleed was announced, yet another vulnerability relying upon side-channels techniques has been disclosed by AMD. While Zenbleed impacted Zen 1 and Zen 2 based CPUs, INCEPTION affects Zen 3 (Milan) and Zen 4 (Genoa/Bergamo). Please read this blog post to learn about this security flaw and how to remedy it, and make sure to check back for any updates.
TuxCare’s Extended Lifecycle Support status can be tracked here.
TuxCare’s KernelCare Enterprise status can be tracked here.
The Current Status of INCEPTION
AMD has received an external report describing a new speculative side-channel attack known as INCEPTION. This attack is analogous to previous branch prediction-based attacks such as Spectrev2 and Branch Type Confusion (BTC)/RetBleed. This vulnerability is registered as CVE-2023-20569 and potentially affects data confidentiality.
AMD believes this vulnerability is only potentially exploitable locally, such as via downloaded malware, and recommends customers employ security best practices, including running up-to-date software and malware detection tools.
AMD is planning to release updated AGESA™ versions to Original Equipment Manufacturers (OEM), Original Design Manufacturers (ODM), and motherboard (MB) manufacturers to address the INCEPTION vulnerability. The µcode patches or BIOS updates are applicable for products based on “Zen 3” and “Zen 4” CPU architectures, as they are designed to flush branch type predictions from the branch predictor.
What Are the Risks of INCEPTION?
The INCEPTION vulnerability may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled instruction pointer register, potentially leading to information disclosure. To exploit this vulnerability, an attacker must have knowledge of the address space and control of sufficient registers at the time of RET (return from procedure) speculation.
Mitigation
To mitigate the INCEPTION vulnerability, AMD recommends the following steps:
- Apply either the standalone µcode patch or a BIOS update that incorporates the µcode patch, as applicable, for products based on “Zen 3” and “Zen 4” CPU architectures.
- Refer to your OEM, ODM, or MB for a BIOS update specific to your product. AMD will release updated AGESA™ versions on the target dates listed in the AMD security bulletin.
- Evaluate operating system (OS) configuration options to help mitigate certain aspects of this vulnerability. “Zen 3” and “Zen 4” based systems will require the µcode patch, which is incorporated in the BIOS update, prior to enabling OS configuration options.
- Stay Up to Date with Security Tools: Keep your software and malware detection tools current to fend off potential threats.
Conclusion
AMD is actively addressing the issue, and updated BIOS and µcode patches will be available as per the timeline mentioned in the security bulletin.
Relevant patches may be necessary in the coming days, and this post will be updated to reflect its availability to TuxCare users.