Bug 34020 - microcode new security issues CVE-2024-31068, CVE-2024-36293, CVE-2023-43758, CVE-2024-39355 and CVE-2024-37020
Summary: microcode new security issues CVE-2024-31068, CVE-2024-36293, CVE-2023-43758,...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-32-OK MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-02-14 15:18 CET by Nicolas Salguero
Modified: 2025-02-17 19:38 CET (History)
6 users (show)

See Also:
Source RPM: microcode-0.20241112-1.mga9.nonfree.src.rpm
CVE: CVE-2024-31068, CVE-2024-36293, CVE-2023-43758, CVE-2024-39355, CVE-2024-37020
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-02-14 15:18:07 CET 
The issues are fixed upstream in 20250211:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
Nicolas Salguero 2025-02-14 15:18:45 CET

Source RPM: (none) => microcode-0.20241112-1.mga9.nonfree.src.rpm
CVE: (none) => CVE-2024-31068, CVE-2024-36293, CVE-2023-43758, CVE-2024-39355, CVE-2024-37020
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2025-02-14 15:27:11 CET 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Improper Finite State Machines (FSMs) in Hardware Logic for some Intel® Processors may allow privileged user to potentially enable denial of service via local access. (CVE-2024-31068)

Improper access control in the EDECCSSA user leaf function for some Intel® Processors with Intel® SGX may allow an authenticated user to potentially enable denial of service via local access. (CVE-2024-36293)

Improper input validation in UEFI firmware for some Intel® processors may allow a privileged user to potentially enable escalation of privilege via local access. (CVE-2023-43758)

Improper handling of physical or environmental conditions in some Intel® Processors may allow an authenticated user to enable denial of service via local access. (CVE-2024-39355)

Sequence of processor instructions leads to unexpected behavior in the Intel® DSA V1.0 for some Intel® Xeon® Processors may allow an authenticated user to potentially enable denial of service via local access. (CVE-2024-37020)

References:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
========================

Updated package in core/updates_testing:
========================
microcode-0.20250211-1.mga9.nonfree

from SRPM:
microcode-0.20250211-1.mga9.nonfree.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 9
Assignee: bugsquad => qa-bugs
Whiteboard: MGA9TOO => (none)

katnatek 2025-02-14 18:34:27 CET

Keywords: (none) => advisory

PC LX 2025-02-15 11:52:27 CET

CC: (none) => mageia

Comment 2 Thomas Andrews 2025-02-15 13:40:36 CET 
The advisory only indicates Intel processors, but I happen to be in front of my HP Pavilion, so...

No installation issues. After the reboot:

# journalctl -xb | grep microcode
Feb 15 10:45:37 localhost.localdomain kernel: microcode: microcode updated early to new patch_level=0x06001119
Feb 15 10:45:37 localhost.localdomain kernel: microcode: CPU1: patch_level=0x06001119
Feb 15 10:45:37 localhost.localdomain kernel: microcode: CPU2: patch_level=0x06001119
Feb 15 10:45:37 localhost.localdomain kernel: microcode: CPU3: patch_level=0x06001119
Feb 15 10:45:37 localhost.localdomain kernel: microcode: CPU1: new patch_level=0x06001119
Feb 15 10:45:37 localhost.localdomain kernel: microcode: CPU0: patch_level=0x06001119
Feb 15 10:45:37 localhost.localdomain kernel: microcode: CPU3: new patch_level=0x06001119
Feb 15 10:45:37 localhost.localdomain kernel: microcode: CPU2: new patch_level=0x06001119
Feb 15 10:45:37 localhost.localdomain kernel: microcode: CPU0: new patch_level=0x06001119
Feb 15 10:45:37 localhost.localdomain kernel: microcode: Microcode Update Driver: v2.2.

# inxi -SCG
System:
  Host: localhost Kernel: 6.6.74-desktop-1.mga9 arch: x86_64 bits: 64
  Console: pty pts/0 Distro: Mageia 9
CPU:
  Info: quad core model: AMD A8-4555M APU with Radeon HD Graphics bits: 64
    type: MT MCP cache: L2: 4 MiB
  Speed (MHz): avg: 1100 min/max: 1100/1600 cores: 1: 1100 2: 1100 3: 1100
    4: 1100
Graphics:
  Device-1: Advanced Micro Devices [AMD/ATI] Trinity [Radeon HD 7600G]
    driver: radeon v: kernel
  Device-2: Realtek HP Truevision HD laptop camera driver: uvcvideo
    type: USB
  Display: server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: radeon,v4l dri: r600 gpu: radeon resolution: 1366x768~60Hz
  API: EGL v: 1.5 drivers: r600,swrast platforms: gbm,x11,surfaceless,device
  API: OpenGL v: 4.5 vendor: mesa v: 24.2.8 renderer: AMD ARUBA (DRM 2.50.0
    / 6.6.74-desktop-1.mga9 LLVM 15.0.6)
  API: Vulkan v: 1.3.231 drivers: llvmpipe surfaces: xcb,xlib

So far, the system is functioning normally.

CC: (none) => andrewsfarm

Comment 3 Thomas Andrews 2025-02-15 17:05:58 CET 
MGA9-64 Plasma. No installation issues.

# journalctl -xb | grep microcode
Feb 15 10:57:46 localhost.localdomain kernel: microcode: updated early: 0xb4 -> 0xf8, date = 2023-09-28
Feb 15 10:57:46 localhost.localdomain kernel: microcode: Microcode Update Driver: v2.2.

The date on the above indicates this processor was not affected this time. The system appears to be functioning normally.

# inxi -SCGN
System:
  Host: localhost Kernel: 6.6.74-desktop-1.mga9 arch: x86_64 bits: 64
  Console: pty pts/0 Distro: Mageia 9
CPU:
  Info: quad core model: Intel Core i5-7500 bits: 64 type: MCP cache:
    L2: 1024 KiB
  Speed (MHz): avg: 800 min/max: 800/3800 cores: 1: 800 2: 800 3: 800 4: 800
Graphics:
  Device-1: NVIDIA GM107GL [Quadro K620] driver: nvidia v: 550.144.03
  Display: server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: nvidia,v4l gpu: nvidia,nvidia-nvswitch resolution: 1920x1080~60Hz
  API: EGL v: 1.5 drivers: nvidia,swrast
    platforms: gbm,x11,surfaceless,device
  API: OpenGL v: 4.6.0 vendor: nvidia v: 550.144.03
    renderer: Quadro K620/PCIe/SSE2
  API: Vulkan v: 1.3.231 drivers: nvidia,llvmpipe surfaces: xcb,xlib
Network:
  Device-1: Intel Ethernet I219-LM driver: e1000e
Comment 4 katnatek 2025-02-15 19:33:16 CET 
RH x86_64

installing microcode-0.20250211-1.mga9.nonfree.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: microcode             ##################################################################################################
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'dracut-systemd' depends on 'systemd-initrd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
      1/1: removing microcode-0.20241112-1.mga9.nonfree.noarch
                                 ##################################################################################################

Reboot

journalctl -xb | grep microcode
feb 15 12:20:54 jgrey.phoenix kernel: microcode: updated early: 0x2 -> 0x7, date = 2018-04-23
feb 15 12:20:54 jgrey.phoenix kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
feb 15 12:20:54 jgrey.phoenix kernel: microcode: Microcode Update Driver: v2.2.

Same as in bug#33770
Comment 5 katnatek 2025-02-15 19:53:16 CET 
RH i586

Get other updates

installing /var/cache/urpmi/rpms/libpostproc56-5.1.6-1.2.mga9.tainted.i586.rpm                                           
/var/cache/urpmi/rpms/ffmpeg-5.1.6-1.2.mga9.tainted.i586.rpm
/var/cache/urpmi/rpms/libavutil57-5.1.6-1.2.mga9.tainted.i586.rpm
/var/cache/urpmi/rpms/libswscaler6-5.1.6-1.2.mga9.tainted.i586.rpm
/var/cache/urpmi/rpms/libavfilter8-5.1.6-1.2.mga9.tainted.i586.rpm
/var/cache/urpmi/rpms/libavcodec59-5.1.6-1.2.mga9.tainted.i586.rpm
//home/katnatek/qa-testing/i586/microcode-0.20250211-1.mga9.nonfree.noarch.rpm
/var/cache/urpmi/rpms/libswresample4-5.1.6-1.2.mga9.tainted.i586.rpm
/var/cache/urpmi/rpms/libavformat59-5.1.6-1.2.mga9.tainted.i586.rpm
Preparing...                     #######################################################################################
      1/9: libavutil57           #######################################################################################
      2/9: microcode             #######################################################################################
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
dracut: dracut module 'systemd-initrd' depends on 'systemd', which can't be installed
dracut: dracut module 'dracut-systemd' depends on 'systemd-initrd', which can't be installed
dracut: dracut module 'ifcfg' depends on 'network', which can't be installed
      3/9: libswresample4        #######################################################################################
      4/9: libavcodec59          #######################################################################################
      5/9: libpostproc56         #######################################################################################
      6/9: libswscaler6          #######################################################################################
      7/9: libavformat59         #######################################################################################
      8/9: libavfilter8          #######################################################################################
      9/9: ffmpeg                #######################################################################################
      1/9: removing ffmpeg-5.1.6-1.1.mga9.tainted.i586
                                 #######################################################################################
      2/9: removing libavfilter8-5.1.6-1.1.mga9.tainted.i586
                                 #######################################################################################
      3/9: removing libavformat59-5.1.6-1.1.mga9.tainted.i586
                                 #######################################################################################
      4/9: removing libavcodec59-5.1.6-1.1.mga9.tainted.i586
                                 #######################################################################################
      5/9: removing libswresample4-5.1.6-1.1.mga9.tainted.i586
                                 #######################################################################################
      6/9: removing libpostproc56-5.1.6-1.1.mga9.tainted.i586
                                 #######################################################################################
      7/9: removing libswscaler6-5.1.6-1.1.mga9.tainted.i586
                                 #######################################################################################
      8/9: removing libavutil57-5.1.6-1.1.mga9.tainted.i586
                                 #######################################################################################
      9/9: removing microcode-0.20241112-1.mga9.nonfree.noarch
                                 #######################################################################################

journalctl -xb | grep microcode
feb 15 12:48:37 cefiro kernel: microcode: updated early: 0xa3 -> 0xa4, date = 2010-10-02
feb 15 12:48:37 cefiro kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
feb 15 12:48:37 cefiro kernel: microcode: Microcode Update Driver: v2.2.

Same as in bug#33770
Comment 6 Brian Rockwell 2025-02-16 00:01:23 CET 
MGA9-64, Cinnamon, MD Ryzen 5 2600, GeForce GTX 1650 SUPER

-- Installed microcode and rebooted

spent some time watching youtube - no issues.

CC: (none) => brtians1

Comment 7 Morgan Leijström 2025-02-16 15:19:53 CET 
mga9-64 on my workstation: OK, no regression noted.
Normal usage; Plasma, desktop apps, VirtualBox suspend-resume


[morgan@svarten ~]$ journalctl -xb | grep microcode
feb 15 11:58:21 svarten.tribun kernel: microcode: updated early: 0x3 -> 0xa, date = 2018-05-08
feb 15 11:58:21 svarten.tribun kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
feb 15 11:58:21 svarten.tribun kernel: microcode: Microcode Update Driver: v2.2.

[morgan@svarten ~]$ inxi -SMCG
System:
  Host: svarten.tribun Kernel: 6.6.74-1.mga9 arch: x86_64 bits: 64
  Desktop: KDE Plasma v: 5.27.10 Distro: Mageia 9
Machine:
  Type: Desktop Mobo: ASRock model: P55 Pro serial: <superuser required>
    BIOS: American Megatrends v: P2.60 date: 08/20/2010
CPU:
  Info: quad core model: Intel Core i7 870 bits: 64 type: MT MCP cache:
    L2: 1024 KiB
  Speed (MHz): avg: 3481 min/max: 1200/2934 cores: 1: 3481 2: 3481 3: 3481
    4: 3481 5: 3481 6: 3481 7: 3481 8: 3481
Graphics:
  Device-1: Advanced Micro Devices [AMD/ATI] Navi 24 [Radeon RX 6400/6500
    XT/6500M] driver: amdgpu v: kernel
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: amdgpu,v4l dri: radeonsi gpu: amdgpu resolution: 3840x2160~60Hz
  API: EGL v: 1.5 drivers: kms_swrast,radeonsi,swrast
    platforms: gbm,x11,surfaceless,device
  API: OpenGL v: 4.6 vendor: amd mesa v: 24.3.4 renderer: AMD Radeon RX
    6400 (radeonsi navi24 LLVM 15.0.6 DRM 3.54 6.6.74-1.mga9)

CC: (none) => fri

Comment 8 Len Lawrence 2025-02-16 20:00:17 CET 
Kernel: 6.6.74-desktop-1.mga9
12-core (4-mt/8-st) model: 12th Gen Intel Core
    i7-1260P bits: 64 type: MST AMCP cache: L2: 9 MiB
Intel Alder Lake-P Integrated Graphics, driver: i915

# journalctl -xb | grep microcode
Feb 16 18:38:35 yildun kernel: microcode: updated early: 0x421 -> 0x436, date = 2024-08-01
Feb 16 18:38:35 yildun kernel: microcode: Microcode Update Driver: v2.2.

Mate desktop working fine.
kmahjongg runs OK, wifi, bluetooth, falkon, firefox, vlc, mplayer with pulseaudio.
$ stress -c 6 -t 25
stress: info: [65821] dispatching hogs: 6 cpu, 0 io, 0 vm, 0 hdd
stress: info: [65821] successful run completed in 25s

CC: (none) => tarazed25

Comment 9 Thomas Andrews 2025-02-17 17:23:19 CET 
MGHA9-64 Plasma on HP Probook 6550b: No installation issues.

# journalctl -xb | grep microcode
Feb 17 11:14:21 localhost.localdomain kernel: microcode: updated early: 0xf -> 0x11, date = 2018-05-08
Feb 17 11:14:21 localhost.localdomain kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
Feb 17 11:14:21 localhost.localdomain kernel: microcode: Microcode Update Driver: v2.2.

Looks like this processor isn't affected, either.


# inxi -SCGN
System:
  Host: localhost Kernel: 6.6.74-desktop-1.mga9 arch: x86_64 bits: 64
  Console: pty pts/0 Distro: Mageia 9
CPU:
  Info: dual core model: Intel Core i3 M 350 bits: 64 type: MT MCP cache:
    L2: 512 KiB
  Speed (MHz): avg: 933 min/max: 933/2266 cores: 1: 933 2: 933 3: 933 4: 933
Graphics:
  Device-1: Intel Core Processor Integrated Graphics driver: i915 v: kernel
  Display: server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: intel,v4l dri: i965 gpu: i915 resolution: 1366x768~60Hz
  API: EGL v: 1.5 drivers: crocus,swrast
    platforms: gbm,x11,surfaceless,device
  API: OpenGL v: 2.1 vendor: intel mesa v: 24.2.8 renderer: Mesa Intel HD
    Graphics (ILK)
  API: Vulkan v: 1.3.231 drivers: llvmpipe surfaces: xcb,xlib
Network:
  Device-1: Intel 82577LC Gigabit Network driver: e1000e
  Device-2: Broadcom BCM43224 802.11a/b/g/n driver: bcma-pci-bridge
Comment 10 Thomas Andrews 2025-02-17 17:25:28 CET 
Looks good to go. Validating.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-32-OK MGA9-64-OK
Keywords: (none) => validated_update

Comment 11 Mageia Robot 2025-02-17 19:38:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0068.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.