SB2022072234 - openEuler update for microcode_ctl
Published: July 22, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Incomplete cleanup (CVE-ID: CVE-2020-24489)
CWE-ID: CWE-459 - Incomplete cleanup
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incomplete cleanup, which leads to security restrictions bypass and privilege escalation.
2) Information disclosure (CVE-ID: CVE-2020-24513)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user o gain access to potentially sensitive information.
The vulnerability exists due to domain-bypass transient execution issue. A local user can gain unauthorized access to sensitive information on the system.
3) Security features bypass (CVE-ID: CVE-2021-0146)
CWE-ID: CWE-254 - Security Features
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to hardware allows activation of test or debug logic at runtime. An attacker with physical access to device can execute arbitrary code with elevated privileges.
Remediation
Install update from vendor's website.