Fedora 40 update for microcode_ctl
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2024-24853 CVE-2024-24980 CVE-2024-25939 |
| CWE-ID | CWE-696 CWE-693 CWE-399 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system microcode_ctl Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Incorrect behavior order
EUVDB-ID: #VU96259
Risk: Low
CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-24853
CWE-ID:
CWE-696 - Incorrect Behavior Order
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an incorrect behavior order in SMI Transfer monitor (STM). A local user can escalate privileges on the system.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 40
microcode_ctl: before 2.1-61.2.fc40
CPE2.3- cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:microcode_ctl:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2024-5c5c384fa7
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Protection Mechanism Failure
EUVDB-ID: #VU96214
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-24980
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient implementation of security measures. A local privileged user can escalate privileges on the system.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 40
microcode_ctl: before 2.1-61.2.fc40
CPE2.3- cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:microcode_ctl:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2024-5c5c384fa7
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource management error
EUVDB-ID: #VU96213
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-25939
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. Mirrored regions with different values in 3rd Generation Intel Xeon
Scalable Processors may allow a local privileged user to crash the system.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 40
microcode_ctl: before 2.1-61.2.fc40
CPE2.3- cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:microcode_ctl:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2024-5c5c384fa7
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
