High-Severity Intel Microcode Vulnerabilities Fixed in Ubuntu
Recently, multiple high-severity vulnerabilities were discovered in Intel Microcode that could potentially lead to privilege escalation. Canonical, the organization behind Ubuntu, has acted swiftly by releasing security updates to address these vulnerabilities. This article explores the details of these vulnerabilities and offers essential guidance on safeguarding your Ubuntu systems.
Overview of Intel Microcode Vulnerabilities
CVE-2023-42667 (CVSS v3 Severity Score: 7.8 High)
A critical issue was found in some Intel® Core(TM) Ultra Processors where the stream cache was not properly isolated. This flaw can be exploited by a local authenticated user to potentially escalate their privileges on the system.
CVE-2023-49141 (CVSS v3 Severity Score: 7.8 High)
Similar to CVE-2023-42667, another vulnerability involving improper stream cache isolation was identified in some Intel® Processors. This flaw allows a local authenticated user to elevate their privileges, making it possible to execute unauthorized actions on the affected system.
CVE-2024-24853 (CVSS v3 Severity Score: 7.2 High)
This vulnerability affects the transition between the executive monitor and SMI transfer monitor (STM) in certain Intel® Processors. A privileged local user could exploit this flaw to escalate their privileges, potentially gaining control over the full system.
CVE-2024-24980 (CVSS v3 Severity Score: 6.1 Medium)
A vulnerability was found in the 3rd, 4th, and 5th Generation Intel® Xeon® Processors, where a protection mechanism was not correctly implemented. This issue could be leveraged by a local attacker to escalate their privileges, leading to unauthorized access or control of the system.
CVE-2024-25939 (CVSS v3 Severity Score: 6.0 Medium)
This flaw was discovered in the 3rd Generation Intel® Xeon® Scalable Processors, where improper handling of mirrored regions with different values could result in a denial of service (system crash). A privileged local user could exploit this vulnerability to disrupt system operations.
Protecting Your Ubuntu Systems
To safeguard your Ubuntu systems against these vulnerabilities, it is crucial to update the Intel Microcode package to the latest patched version. Canonical has released critical updates for the following Ubuntu versions:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 ESM
- Ubuntu 16.04 ESM
For Ubuntu 18.04 and Ubuntu 16.04, which have reached their end of life (EOL), Canonical provides security updates through Extended Security Maintenance (ESM). These updates are available to users with an Ubuntu Pro subscription, which is relatively expensive.
TuxCare offers an affordable alternative solution, Extended Lifecycle Support (ELS), providing an additional five years of security patching for Ubuntu 16.04 and Ubuntu 18.04 post-EOL. TuxCare’s ELS covers over 140 critical packages, including the Linux kernel, Intel Microcode, Python, OpenSSL, glibc, and OpenJDK, among others. This makes it a cost-effective option for organizations that need to maintain older Ubuntu systems while ensuring robust security.
The ELS team is actively working on deploying patches for these vulnerabilities, which will be available soon. You can monitor the release status of all vulnerabilities across various Linux distributions using this CVE tracker.
Source: USN-6967-1