SB2024122740 - Ubuntu update for intel-microcode

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Incorrect default permissions (CVE-ID: CVE-2024-21820)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions in some Intel Xeon processor memory controller configurations when using Intel SGX. A local user escalate privileges on the system.

2) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2024-23918)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper error handling in Intel SGX. A local user can execute arbitrary code with elevated privileges.

3) Improper finite state machines in hardware logic (CVE-ID: CVE-2024-21853)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in hardware logic. A local unprivileged user can perform a denial of service (DoS) attack.

4) Observable discrepancy (CVE-ID: CVE-2024-23984)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to observable discrepancy in Running Average Power Limit (RAPL) interface. A local privileged user can gain access to potentially sensitive information.

5) State Issues (CVE-ID: CVE-2024-24968)

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to improper finite state machines (FSMs) in hardware logic. A local privileged user can perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-7149-1