Bug 33015

Summary: microcode new security issues CVE-2023-22655, CVE-2023-28746, CVE-2023-38575, CVE-2023-39368 and CVE-2023-43490
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, herman.viaene, mageia, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK MGA9-32-OK
Source RPM: microcode-0.20231114-1.mga9.nonfree.src.rpm CVE: CVE-2023-22655, CVE-2023-28746, CVE-2023-38575, CVE-2023-39368, CVE-2023-43490
Status comment:

Description Nicolas Salguero 2024-03-25 16:56:26 CET 
SUSE has issued an advisory on March 22:
https://lwn.net/Articles/966603/

The issues are fixed upstream in 20240312:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312

Mageia 9 is also affected.
Nicolas Salguero 2024-03-25 16:57:08 CET

Status comment: (none) => Fixed upstream in 20240312
CVE: (none) => CVE-2023-22655, CVE-2023-28746, CVE-2023-38575, CVE-2023-39368, CVE-2023-43490
Source RPM: (none) => microcode-0.20231114-1.mga10.nonfree.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-03-25 20:42:57 CET 
A lot of CVEs fixed by one version update!
Assigning to the kernel group, who normally do microcode as well.

Assignee: bugsquad => kernel

Comment 2 Nicolas Salguero 2024-03-26 13:47:37 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Protection mechanism failure in some 3rd and 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access. (CVE-2023-22655)

Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2023-28746)

Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2023-38575)

Protection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access. (CVE-2023-39368)

Incorrect calculation in microcode keying mechanism for some Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local access. (CVE-2023-43490)

References:
https://lwn.net/Articles/966603/
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
========================

Updated packages in nonfree/updates_testing:
========================
microcode-0.20240312-1.mga9.nonfree

from SRPM:
microcode-0.20240312-1.mga9.nonfree.src.rpm

Whiteboard: MGA9TOO => (none)
Status comment: Fixed upstream in 20240312 => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Assignee: kernel => qa-bugs

Nicolas Salguero 2024-03-26 13:47:51 CET

Source RPM: microcode-0.20231114-1.mga10.nonfree.src.rpm => microcode-0.20231114-1.mga9.nonfree.src.rpm

PC LX 2024-03-26 16:29:25 CET

CC: (none) => mageia

katnatek 2024-03-26 18:08:42 CET

Keywords: (none) => advisory

Comment 3 Herman Viaene 2024-03-28 16:46:18 CET 
MGA9-64 Plasma Wayland on HP-Pavillion - CPU and graphics Intel
No installation issues.
Rebooted after installation, no ill effects noticed.
Waiting for others with other HW.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2024-03-28 22:47:56 CET 
MGA9-64 Plasma, i5-7500, Nvidia Quadro K620 graphics. No installation issues. After reboot:

# journalctl -xb | grep microcode
Mar 28 17:42:15 localhost.localdomain kernel: microcode: updated early: 0x84 -> 0xf8, date = 2023-09-28
Mar 28 17:42:15 localhost.localdomain kernel: microcode: Microcode Update Driver: v2.2.

The date indicates my processor wasn't affected this time, but otherwise all is OK.

CC: (none) => andrewsfarm

Comment 5 Brian Rockwell 2024-03-29 02:39:57 CET 
MGA9-64 Xfce, AMD A6 (apu)

installed and spent most of the day using it.  No issues

MGA9-64 Plasma, AMD Ryzen 5600, Nvidia 1050

installed, no issues

CC: (none) => brtians1

Comment 6 katnatek 2024-03-29 18:36:39 CET 
RH mageia 9 x86_64

journalctl -xb | grep microcode
mar 29 11:11:28 phoenix kernel: microcode: updated early: 0x2 -> 0x7, date = 2018-04-23
mar 29 11:11:28 phoenix kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
mar 29 11:11:28 phoenix kernel: microcode: Microcode Update Driver: v2.2.

rpm -q microcode
microcode-0.20240312-1.mga9.nonfree

Not issues detected
Comment 7 katnatek 2024-03-29 18:51:45 CET 
RH mageia 9 i586

journalctl -xb | grep microcode
mar 29 11:45:28 cefiro kernel: microcode: updated early: 0xa3 -> 0xa4, date = 2010-10-02
mar 29 11:45:28 cefiro kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
mar 29 11:45:28 cefiro kernel: microcode: Microcode Update Driver: v2.2.

rpm -q microcode
microcode-0.20240312-1.mga9.nonfree

Not issues detected
Comment 8 Thomas Andrews 2024-03-30 13:39:08 CET 
MGA9-64 Plasma, AMD Phenom II X4 910, Radeon HD 8490 graphics. 

Everything in the advisory involves Intel, so I would not expect this old AMD-based system to be affected, and indeed, that seems to be the case. No issues to note after a reboot. However...

MGA9-64 Plasma, HP Pavilion 15, AMD A8-4555 APU, HD 7600G graphics. No installation issues. The reboot was a bit slower than normal, and afterward:

[root@localhost ~]# journalctl -xb | grep microcode
Mar 30 08:28:28 localhost.localdomain kernel: microcode: microcode updated early to new patch_level=0x06001119
Mar 30 08:28:28 localhost.localdomain kernel: microcode: CPU0: patch_level=0x06001119
Mar 30 08:28:28 localhost.localdomain kernel: microcode: CPU1: patch_level=0x06001119
Mar 30 08:28:28 localhost.localdomain kernel: microcode: CPU2: patch_level=0x06001119
Mar 30 08:28:28 localhost.localdomain kernel: microcode: CPU3: patch_level=0x06001119
Mar 30 08:28:28 localhost.localdomain kernel: microcode: CPU3: new patch_level=0x06001119
Mar 30 08:28:28 localhost.localdomain kernel: microcode: CPU2: new patch_level=0x06001119
Mar 30 08:28:28 localhost.localdomain kernel: microcode: CPU1: new patch_level=0x06001119
Mar 30 08:28:28 localhost.localdomain kernel: microcode: CPU0: new patch_level=0x06001119
Mar 30 08:28:28 localhost.localdomain kernel: microcode: Microcode Update Driver: v2.2.

I'm not sure if that means a new microcode for this system, as I didn't try that command before the update. But either way, the system seems to be unaffected.
Comment 9 Thomas Andrews 2024-03-30 13:41:17 CET 
Several successful tests, sending this on. Validating.

Whiteboard: (none) => MGA9-64-OK MGA9-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2024-03-31 05:29:22 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0103.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED