Ubuntu update for intel-microcode



Risk Low
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2024-31068
CVE-2024-36293
CVE-2024-39279
CWE-ID CWE-20
CWE-284
Exploitation vector Local
Public exploit N/A
Vulnerable software
 Ubuntu
Operating systems & Components / Operating system

intel-microcode (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU104106

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-31068

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper Finite State Machines (FSMs) in Hardware Logic. A local administrator can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package intel-microcode to the latest version.

Vulnerable software versions

Ubuntu: 24.04

intel-microcode (Ubuntu package): before 3.20250211.0ubuntu0.24.04.1

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7269-2


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper access control

EUVDB-ID: #VU104108

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-36293

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the EDECCSSA user leaf function. A local user can bypass implemented security restrictions and perform a denial of service (DoS) attack.

Mitigation

Update the affected package intel-microcode to the latest version.

Vulnerable software versions

Ubuntu: 24.04

intel-microcode (Ubuntu package): before 3.20250211.0ubuntu0.24.04.1

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7269-2


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU104039

Risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-39279

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient granularity of access control. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package intel-microcode to the latest version.

Vulnerable software versions

Ubuntu: 24.04

intel-microcode (Ubuntu package): before 3.20250211.0ubuntu0.24.04.1

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7269-2


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###