SB20230820173 - Fedora 38 update for microcode_ctl

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20230820173

SB20230820173 - Fedora 38 update for microcode_ctl

Published: August 20, 2023

Security Bulletin ID SB20230820173
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Adjecent network
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2022-21216)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in out-of-band management in Intel processors. A remote privileged user on the local network can bypass implemented security restrictions and gain unauthorized access to the application.


2) Incorrect default permissions (CVE-ID: CVE-2022-33196)

CWE-ID: CWE-276 - Incorrect Default Permissions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for memory controller configurations for some Intel Xeon processors when using Intel Software Guard Extensions. A local user escalate privileges on the system.


3) Incorrect calculation (CVE-ID: CVE-2022-33972)

CWE-ID: CWE-682 - Incorrect Calculation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect calculation in microcode keying mechanism. A local user can gain access to sensitive information.


4) Improper isolation or compartmentalization (CVE-ID: CVE-2022-38090)

CWE-ID: CWE-653 - Improper isolation or compartmentalization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper isolation of shared resources in some Intel processors when using Intel Software Guard Extensions. A local user can gain access to sensitive information.


Remediation

Install update from vendor's website.

References