Amazon Linux AMI update for microcode_ctl
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2024-23984 CVE-2024-24853 CVE-2024-24968 CVE-2024-24980 |
| CWE-ID | CWE-203 CWE-696 CWE-371 CWE-693 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system microcode_ctl Operating systems & Components / Operating system package or component |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Observable discrepancy
EUVDB-ID: #VU97424
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-23984
CWE-ID:
CWE-203 - Observable discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to observable discrepancy in Running Average Power Limit (RAPL) interface. A local privileged user can gain access to potentially sensitive information.
Update the affected packages:
i686:Vulnerable software versions
microcode_ctl-debuginfo-2.1-47.44.amzn1.i686
microcode_ctl-2.1-47.44.amzn1.i686
src:
microcode_ctl-2.1-47.44.amzn1.src
x86_64:
microcode_ctl-debuginfo-2.1-47.44.amzn1.x86_64
microcode_ctl-2.1-47.44.amzn1.x86_64
Amazon Linux AMI: All versions
microcode_ctl: before 2.1-47.44
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:microcode_ctl:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2024-1950.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Incorrect behavior order
EUVDB-ID: #VU96259
Risk: Low
CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-24853
CWE-ID:
CWE-696 - Incorrect Behavior Order
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an incorrect behavior order in SMI Transfer monitor (STM). A local user can escalate privileges on the system.
Update the affected packages:
i686:Vulnerable software versions
microcode_ctl-debuginfo-2.1-47.44.amzn1.i686
microcode_ctl-2.1-47.44.amzn1.i686
src:
microcode_ctl-2.1-47.44.amzn1.src
x86_64:
microcode_ctl-debuginfo-2.1-47.44.amzn1.x86_64
microcode_ctl-2.1-47.44.amzn1.x86_64
Amazon Linux AMI: All versions
microcode_ctl: before 2.1-47.44
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:microcode_ctl:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2024-1950.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) State Issues
EUVDB-ID: #VU97423
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-24968
CWE-ID:
CWE-371 - State Issues
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service attack.
The vulnerability exists due to improper finite state machines (FSMs) in hardware logic. A local privileged user can perform a denial of service (DoS) attack.
Update the affected packages:
i686:Vulnerable software versions
microcode_ctl-debuginfo-2.1-47.44.amzn1.i686
microcode_ctl-2.1-47.44.amzn1.i686
src:
microcode_ctl-2.1-47.44.amzn1.src
x86_64:
microcode_ctl-debuginfo-2.1-47.44.amzn1.x86_64
microcode_ctl-2.1-47.44.amzn1.x86_64
Amazon Linux AMI: All versions
microcode_ctl: before 2.1-47.44
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:microcode_ctl:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2024-1950.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Protection Mechanism Failure
EUVDB-ID: #VU96214
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-24980
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient implementation of security measures. A local privileged user can escalate privileges on the system.
Update the affected packages:
i686:Vulnerable software versions
microcode_ctl-debuginfo-2.1-47.44.amzn1.i686
microcode_ctl-2.1-47.44.amzn1.i686
src:
microcode_ctl-2.1-47.44.amzn1.src
x86_64:
microcode_ctl-debuginfo-2.1-47.44.amzn1.x86_64
microcode_ctl-2.1-47.44.amzn1.x86_64
Amazon Linux AMI: All versions
microcode_ctl: before 2.1-47.44
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:microcode_ctl:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2024-1950.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
