Bug 33560 - microcode new security issues CVE-2024-23984 and CVE-2024-24968
Summary: microcode new security issues CVE-2024-23984 and CVE-2024-24968
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK MGA9-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-12 09:35 CEST by Nicolas Salguero
Modified: 2024-09-16 19:45 CEST (History)
4 users (show)

See Also:
Source RPM: microcode-0.20240813-1.mga9.nonfree.src.rpm
CVE: CVE-2024-23984, CVE-2024-24968
Status comment:


Attachments

Description Nicolas Salguero 2024-09-12 09:35:07 CEST
The issues are fixed upstream in 20240910:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910

Mageia 9 is also affected.
Nicolas Salguero 2024-09-12 09:36:32 CEST

Source RPM: (none) => microcode-0.20240813-1.mga9.nonfree.src.rpm
CVE: (none) => CVE-2024-23984, CVE-2024-24968
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2024-09-12 10:22:22 CEST
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Observable discrepancy in RAPL interface for some Intel® Processors may allow a privileged user to potentially enable information disclosure via local access. (CVE-2024-23984)

Improper finite state machines (FSMs) in hardware logic in some Intel® Processors may allow an privileged user to potentially enable a denial of service via local access. (CVE-2024-24968)

References:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910
========================

Updated package in core/updates_testing:
========================
microcode-0.20240910-1.mga9.nonfree

from SRPM:
microcode-0.20240910-1.mga9.nonfree.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Assignee: bugsquad => qa-bugs

Comment 2 Morgan Leijström 2024-09-12 22:12:48 CEST
mga9-64 Intel 870 no issues noted
kernel 6.6.50-server-1.mga9

[morgan@svarten ~]$ rpm -qa | grep microcode
microcode_ctl-2.1-11.mga9
microcode-0.20240910-1.mga9.nonfree

[morgan@svarten ~]$ journalctl -b | grep microcode
sep 12 21:54:41 svarten.tribun kernel: microcode: updated early: 0x3 -> 0xa, date = 2018-05-08
sep 12 21:54:41 svarten.tribun kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
sep 12 21:54:41 svarten.tribun kernel: microcode: Microcode Update Driver: v2.2.

$ inxi -xSMCG
System:
  Host: svarten.tribun Kernel: 6.6.50-server-1.mga9 arch: x86_64 bits: 64
    compiler: gcc v: 12.3.0 Desktop: KDE Plasma v: 5.27.10 Distro: Mageia 9
Machine:
  Type: Desktop Mobo: ASRock model: P55 Pro serial: <superuser required>
    BIOS: American Megatrends v: P2.60 date: 08/20/2010
CPU:
  Info: dual core model: Intel Core i7 870 bits: 64 type: MT MCP arch: Nehalem
    rev: 5 cache: L1: 128 KiB L2: 512 KiB L3: 8 MiB
  Speed (MHz): avg: 3547 high: 3613 min/max: 1200/2934 boost: enabled cores:
    1: 3481 2: 3613 3: 3481 4: 3613 bogomips: 23564
  Flags: ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Graphics:
  Device-1: AMD Navi 24 [Radeon RX 6400/6500 XT/6500M] vendor: Micro-Star MSI
    driver: amdgpu v: kernel arch: RDNA-2 bus-ID: 09:00.0
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: amdgpu,v4l dri: radeonsi gpu: amdgpu resolution: 3840x2160~60Hz
  API: OpenGL v: 4.6 Mesa 24.1.4 renderer: AMD Radeon RX 6400 (radeonsi
    navi24 LLVM 15.0.6 DRM 3.54 6.6.50-server-1.mga9) direct-render: Yes

CC: (none) => fri

Comment 3 Brian Rockwell 2024-09-13 16:02:04 CEST
MGA9-64, Plasma, AMD Ryzen 5 2600, GeForce GTX 1650 SUPER

installed microcode

- rebooted

no issues to report

CC: (none) => brtians1

katnatek 2024-09-13 19:32:33 CEST

Keywords: (none) => advisory

Comment 4 katnatek 2024-09-13 21:14:15 CEST
Rh x86_64

Relevant part of the updatee

installing microcode-0.20240910-1.mga9.nonfree.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: microcode             ##################################################################################################
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'dracut-systemd' depends on 'systemd-initrd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
      1/1: removing microcode-0.20240813-1.mga9.nonfree.noarch
                                 ##################################################################################################

Reboot

journalctl -xb | grep microcode
sep 13 13:07:45 jgrey.phoenix kernel: microcode: updated early: 0x2 -> 0x7, date = 2018-04-23
sep 13 13:07:45 jgrey.phoenix kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
sep 13 13:07:45 jgrey.phoenix kernel: microcode: Microcode Update Driver: v2.2.


Consistent with the previous round for this system bug#33511 comment#10
Comment 5 katnatek 2024-09-13 21:59:23 CEST
RH i586

Relevant part of the update

installing microcode-0.20240910-1.mga9.nonfree.noarch.rpm from //home/katnatek/qa-testing/i586
Preparing...                     ################################################################
      1/1: microcode             ################################################################
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'dracut-systemd' depends on 'systemd-initrd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
      1/1: removing microcode-0.20240813-1.mga9.nonfree.noarch
                                 ################################################################

Reboot
journalctl -xb | grep microcode
sep 13 13:44:40 cefiro kernel: microcode: updated early: 0xa3 -> 0xa4, date = 2010-10-02
sep 13 13:44:40 cefiro kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
sep 13 13:44:40 cefiro kernel: microcode: Microcode Update Driver: v2.2.


Consistent with the previous round for this system bug#33511 comment#11
Comment 6 Morgan Leijström 2024-09-15 19:25:18 CEST
OK on Aspire A717-71G, tested with kernel in bug 33546 comment 23
katnatek 2024-09-16 00:46:20 CEST

Whiteboard: (none) => MGA9-64-OK MGA9-32-OK
CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2024-09-16 02:29:45 CEST
My system appears to be unaffected this time, too:

[root@localhost ~]# journalctl -xb | grep microcode
Sep 15 19:27:32 localhost.localdomain kernel: microcode: updated early: 0xb4 -> 0xf8, date = 2023-09-28
Sep 15 19:27:33 localhost.localdomain kernel: microcode: Microcode Update Driver: v2.2.
[root@localhost ~]# inxi -xSMCG
System:
  Host: localhost Kernel: 6.6.50-desktop-1.mga9 arch: x86_64 bits: 64
    compiler: gcc v: 12.3.0 Console: pty pts/0 Distro: Mageia 9
Machine:
  Type: Desktop Mobo: ASUSTeK model: PRIME Q270M-C v: Rev X.0x
    serial: 180322427900264 UEFI: American Megatrends v: 2201 date: 12/21/2023
CPU:
  Info: quad core model: Intel Core i5-7500 bits: 64 type: MCP arch: Kaby Lake
    rev: 9 cache: L1: 256 KiB L2: 1024 KiB L3: 6 MiB
  Speed (MHz): avg: 819 high: 876 min/max: 800/3800 cores: 1: 876 2: 800
    3: 800 4: 800 bogomips: 27208
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Graphics:
  Device-1: NVIDIA GM107GL [Quadro K620] vendor: Hewlett-Packard
    driver: nvidia v: 550.100 arch: Maxwell bus-ID: 01:00.0
  Display: server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: nvidia,v4l gpu: nvidia,nvidia-nvswitch resolution: 1920x1080~60Hz
  API: OpenGL v: 4.6.0 NVIDIA 550.100 renderer: Quadro K620/PCIe/SSE2
    direct-render: Yes
Comment 8 Thomas Andrews 2024-09-16 02:31:16 CEST
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 9 Mageia Robot 2024-09-16 19:45:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0302.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.