Bug 33251

Summary: microcode new security issues CVE-2023-45733, CVE-2023-46103 and CVE-2023-45745
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, fri, herman.viaene, sysadmin-bugs, tablackwell, tarazed25, westel
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK MGA9-32-OK
Source RPM: microcode-0.20240312-1.mga9.nonfree.src.rpm CVE: CVE-2023-45733, CVE-2023-46103, CVE-2023-45745
Status comment:

Description Nicolas Salguero 2024-05-29 15:40:29 CEST 
Ubuntu has issued an advisory on May 29:
https://ubuntu.com/security/notices/USN-6797-1

The issues are fixed upstream in 20240514:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514

Mageia 9 is also affected.
Nicolas Salguero 2024-05-29 15:41:15 CEST

Source RPM: (none) => microcode-0.20240312-1.mga10.nonfree.src.rpm
CVE: (none) => CVE-2023-45733, CVE-2023-46103, CVE-2023-45745
Status comment: (none) => Fixed upstream in 20240514

Nicolas Salguero 2024-05-29 15:45:01 CEST

Whiteboard: (none) => MGA9TOO

Morgan Leijström 2024-05-29 21:57:20 CEST

CC: (none) => fri
Assignee: bugsquad => kernel

Comment 1 Nicolas Salguero 2024-05-30 09:37:15 CEST 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Hardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access. (CVE-2023-45733)

Sequence of processor instructions leads to unexpected behavior in Intel(R) Core(TM) Ultra Processors may allow an authenticated user to potentially enable denial of service via local access. (CVE-2023-46103)

Improper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access. (CVE-2023-45745)

References:
https://ubuntu.com/security/notices/USN-6797-1
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514
========================

Updated package in core/updates_testing:
========================
microcode-0.20240514-1.mga9.nonfree

from SRPM:
microcode-0.20240514-1.mga9.nonfree.src.rpm

Source RPM: microcode-0.20240312-1.mga10.nonfree.src.rpm => microcode-0.20240312-1.mga9.nonfree.src.rpm
Assignee: kernel => qa-bugs
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Status comment: Fixed upstream in 20240514 => (none)

katnatek 2024-05-30 20:17:27 CEST

Keywords: (none) => advisory

Comment 2 Len Lawrence 2024-05-30 21:43:23 CEST 
mga9, x64

12-core (4-mt/8-st) 12th Gen Intel Core i7-1260P [MST AMCP]

Updated package via qarepo...
Reboot.
$ sudo journalctl -xb | grep microcode
May 30 20:33:34 yildun kernel: microcode: updated early: 0x421 -> 0x433, date = 2023-12-05
May 30 20:33:34 yildun kernel: microcode: Microcode Update Driver: v2.2.

Not an Ultra processor so no change.

CC: (none) => tarazed25

Comment 3 Morgan Leijström 2024-05-31 01:53:26 CEST 
mga9-64, old i870

$ sudo journalctl -xb | grep microcode
maj 30 20:54:54 svarten.tribun kernel: microcode: updated early: 0x3 -> 0xa, date = 2018-05-08
maj 30 20:54:54 svarten.tribun kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
maj 30 20:54:54 svarten.tribun kernel: microcode: Microcode Update Driver: v2.2.

$ inxi -c
CPU: dual core Intel Core i7 870 (-MT MCP-) speed/min/max: 3407/1200/2934 MHz
Kernel: 6.6.28-desktop-1.mga9 x86_64 Up: 4h 56m Mem: 3933.3/15994.3 MiB
(24.6%) Storage: 2.27 TiB (81.4% used) Procs: 266 Shell: Bash inxi: 3.3.26

No problem noted during a few hours use.
Comment 4 Morgan Leijström 2024-05-31 02:16:18 CEST 
mga9-64, Thinkpad T510

$ sudo journalctl -xb | grep microcode
[sudo] lösenord för ettan: 
maj 30 11:34:34 localhost kernel: microcode: updated early: 0x3 -> 0x7, date = 2018-04-23
maj 30 11:34:34 localhost kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
maj 30 11:34:34 localhost kernel: microcode: Microcode Update Driver: v2.2.

$ inxi -c
CPU: dual core Intel Core i5 M 540 (-MT MCP-)
speed/min/max: 1531/1199/2534 MHz Kernel: 6.6.28-1.mga9 x86_64 Up: 14h 51m
Mem: 3855.7/7813.9 MiB (49.3%) Storage: 447.13 GiB (18.2% used) Procs: 338
Shell: Bash inxi: 3.3.26

No problems noted.
Comment 5 katnatek 2024-05-31 03:28:43 CEST 
RH mageia 9 x86_64
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing microcode-0.20240514-1.mga9.nonfree.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: microcode             ##################################################################################################
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'dracut-systemd' depends on 'systemd-initrd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
      1/1: removing microcode-0.20240312-1.mga9.nonfree.noarch
                                 ##################################################################################################

journalctl -xb | grep microcode
may 30 19:20:25 phoenix kernel: microcode: updated early: 0x2 -> 0x7, date = 2018-04-23
may 30 19:20:25 phoenix kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
may 30 19:20:25 phoenix kernel: microcode: Microcode Update Driver: v2.2.

Consistent bug#33015 comment#6
Comment 6 katnatek 2024-05-31 03:35:01 CEST 
RH mageia 9 i586

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date


installing microcode-0.20240514-1.mga9.nonfree.noarch.rpm from //home/katnatek/qa-testing/i586
Preparing...                     ################################################################
      1/1: microcode             ################################################################
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'dracut-systemd' depends on 'systemd-initrd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
      1/1: removing microcode-0.20240312-1.mga9.nonfree.noarch
                                 ################################################################

journalctl -xb | grep microcode
may 30 19:21:28 cefiro kernel: microcode: updated early: 0xa3 -> 0xa4, date = 2010-10-02
may 30 19:21:28 cefiro kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
may 30 19:21:29 cefiro kernel: microcode: Microcode Update Driver: v2.2.

Consistent bug#33015 comment#7

Note: Obviously I reboot after update and when system finish the load I open session again and proceed to paste the saved result of the update and the journalctl output for both tesy
Comment 7 Thomas Andrews 2024-05-31 03:58:11 CEST 
MGA9-64 Plasma, i5-7500. No installation issues.

[root@localhost ~]# journalctl -xb | grep microcode
May 30 21:52:12 localhost.localdomain kernel: microcode: updated early: 0xb4 -> 0xf8, date = 2023-09-28
May 30 21:52:12 localhost.localdomain kernel: microcode: Microcode Update Driver: v2.2.
[root@localhost ~]# inxi -c
CPU: quad core Intel Core i5-7500 (-MCP-) speed/min/max: 1229/800/3800 MHz
Kernel: 6.6.28-desktop-1.mga9 x86_64 Up: 2m Mem: 3249.1/48118.6 MiB (6.8%)
Storage: 1.84 TiB (26.4% used) Procs: 279 Shell: Bash inxi: 3.3.26

Looks good so far.

CC: (none) => andrewsfarm

Comment 8 Ben McMonagle 2024-05-31 04:03:46 CEST 
urpmi microcode
~
~
installing microcode-0.20240514-1.mga9.nonfree.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     #####################################################################################
      1/1: microcode             #####################################################################################
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'dracut-systemd' depends on 'systemd-initrd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
      1/1: removing microcode-0.20240312-1.mga9.nonfree.noarch

~

reboot to a working system

lscpu
Architecture:             x86_64

Vendor ID:                AuthenticAMD
  Model name:             AMD E1-6010 APU with AMD Radeon R2 Graphics

CC: (none) => westel

Comment 9 Herman Viaene 2024-05-31 10:49:02 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion.
No installation issues.
Rebooted and all seems OK.
$ inxi -c
CPU: quad core Intel Pentium N3710 (-MCP-) speed/min/max: 1369/480/2560 MHz
Kernel: 6.6.28-server-1.mga9 x86_64 Up: 4m Mem: 1879.0/3771.0 MiB (49.8%)
Storage: 465.76 GiB (7.5% used) Procs: 242 Shell: Bash inxi: 3.3.26

CC: (none) => herman.viaene

Comment 10 Thomas Andrews 2024-05-31 14:15:44 CEST 
MGA9-64 Plasma on an HP Pavilion. This one is AMD-based, so probably no affected, but...

[root@localhost ~]# journalctl -xb | grep microcode
May 31 08:08:35 localhost.localdomain kernel: microcode: microcode updated early to new patch_level=0x06001119
May 31 08:08:35 localhost.localdomain kernel: microcode: CPU2: patch_level=0x06001119
May 31 08:08:35 localhost.localdomain kernel: microcode: CPU3: patch_level=0x06001119
May 31 08:08:35 localhost.localdomain kernel: microcode: CPU0: patch_level=0x06001119
May 31 08:08:35 localhost.localdomain kernel: microcode: CPU1: patch_level=0x06001119
May 31 08:08:35 localhost.localdomain kernel: microcode: CPU3: new patch_level=0x06001119
May 31 08:08:35 localhost.localdomain kernel: microcode: CPU2: new patch_level=0x06001119
May 31 08:08:35 localhost.localdomain kernel: microcode: CPU1: new patch_level=0x06001119
May 31 08:08:35 localhost.localdomain kernel: microcode: CPU0: new patch_level=0x06001119
May 31 08:08:35 localhost.localdomain kernel: microcode: Microcode Update Driver: v2.2.

[root@localhost ~]# inxi -c
CPU: quad core AMD A8-4555M APU with Radeon HD Graphics (-MT MCP-)
speed/min/max: 1175/1100/1600 MHz Kernel: 6.6.28-desktop-1.mga9 x86_64 Up: 3m
Mem: 2057.3/15192.6 MiB (13.5%) Storage: 942.7 GiB (26.5% used) Procs: 223
Shell: Bash inxi: 3.3.26

Looks good here.
Comment 11 Tony Blackwell 2024-06-01 08:41:41 CEST 
Older i7 system
$ inxi -C
CPU:
  Info: quad core model: Intel Core i7-7700K bits: 64 type: MT MCP cache:
    L2: 1024 KiB
  Speed (MHz): avg: 800 min/max: 800/4500 cores: 1: 800 2: 800 3: 800 4: 800
    5: 800 6: 800 7: 800 8: 800

microcode update uneventful and all seems OK on re-boot

CC: (none) => tablackwell

Comment 12 Brian Rockwell 2024-06-01 16:06:17 CEST 
MGA9-64
two different AMD systems Ryzen 5600 and 3015i

installation didn't kill them.

CC: (none) => brtians1

Comment 13 Thomas Andrews 2024-06-02 13:39:40 CEST 
Enough tests. Validating.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK MGA9-32-OK
Keywords: (none) => validated_update

Comment 14 Mageia Robot 2024-06-03 20:31:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0207.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED