From Tom's Hardware: Swiss researchers have found holes in AMD Ryzen processor security. AMD has outlined the newly uncovered "Inception" attack in its official CVE-2023-20569 bulletin. Like some of the most infamous CPU vulnerabilities, Inception is a speculative side channel attack, which can possibly lead to privileged data leakage to unprivileged processes. At the time of writing AMD is not aware of any Inception exploits outside of security research circles.
Unfortunately for AMD and its users, Inception affects the latest AMD Ryzen processor families based on Zen 3 and Zen 4 cores — across data center, desktop, HEDT, and mobile. However, we must be thankful that, as details of Inception go live, mitigations are in the pipeline.
In its security bulletin, AMD says that customers may have a choice between a standalone microcode patch or a BIOS update that incorporates the microcode patch. AMD CPU users may be familiar with the quite frequent AGESA microcode update releases, and some patches will be delivered this way later this month, while others might have to wait until December. Users are asked to check with their OEM, ODM, or MB for a BIOS update specific to their product.
To be clear, AMD says that users of products based on the Zen or Zen 2 CPU architectures don't need any patching "because these architectures are already designed to flush branch type predictions from the branch predictor." This is a little different from what the researchers from ETH Zurich say in their Inception paper (PDF), so we hope things will become clearer soon.
View: Full Article