Details of VAR-202106-0344

ID

VAR-202106-0344

CVE

CVE-2020-24512

TITLE

Debian Security Advisory 4934-1

Trust: 0.1

sources: PACKETSTORM: 169079

DESCRIPTION

Observable timing discrepancy in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. For the stable distribution (buster), these problems have been fixed in version 3.20210608.2~deb10u1. Note that there are two reported regressions; for some CoffeeLake CPUs this update may break iwlwifi (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56) and some for Skylake R0/D0 CPUs on systems using a very outdated firmware/BIOS, the system may hang on boot: (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31) If you are affected by those issues, you can recover by disabling microcode loading on boot (as documented in README.Debian (also available online at https://salsa.debian.org/hmh/intel-microcode/-/blob/master/debian/README.Debian)) We recommend that you upgrade your intel-microcode packages. For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmDXan0ACgkQEMKTtsN8 Tja9aQ//f1dHsEghQsedGnkMCIa2qLi12UFtb4yW7TYV6uwloqbYZMbymvoXYOAB haasn+yCaGUkXuAHxcGvZuN41EkRhdG4LfS5qoZxPMsw84ETjpV2Ohwhuqwf9P20 9pqV1QLjVPCMiCqvHatkzyRNPtRhIh0uCRx5HtIeOEyKTwhVnUJrrljUXCzMDviD 3As0n0yVUPDIcJdaVxp5mxyebf1NyIYMR+7wmzTBOhK6i+rEE4NkKGkcsYBIM1ch AdTQNHv78QZld6ixL8iCUe1NsSugZ2QjbVL1BLW45fJv3f0BIF5uo6LBzbiJlN/6 xWwOdFTfqW1ORyr0k6JQ+yKz3oSE+jfUStwf+zegWOjYes5gGaA/nATzzNwwFfCQ qDqMmnN26qMI3MswP50ESkNs2JTK3955cIJjnscp5DeFArDuCFKh9wcqSZ46/QCE GVRi+F/Dh3JQxv/jP8jfLhCvkBptuendGo9qK5v22QoeCRoHS16dLu7HHP34hRrw k//EgtP35pD9eTNiIsxhmx3qTPD0gbQbcMG/5NTVtpNqsffAxYtqTy8+/4lfPkNn AYtYrrG6tjEHe1gasLkjthB7c0YLzPLdNyZkNIk6XZ2YIhx18N80c7gTBERSJ1Sh 9lmsnX3+5GWM7Fx2NN2vL5xIEo0einMJCyTlNMRDLim2ix1vpZg= =RVf2 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: microcode_ctl security, bug fix and enhancement update Advisory ID: RHSA-2021:2301-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2301 Issue date: 2021-06-08 CVE Names: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 ==================================================================== 1. Summary: An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.4) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.4) - x86_64 Red Hat Enterprise Linux Server TUS (v. 7.4) - x86_64 3. Description: The microcode_ctl packages provide microcode updates for Intel. Security Fix(es): * hw: vt-d related privilege escalation (CVE-2020-24489) * hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) * hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) * hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es) and Enhancement(s): * Update Intel CPU microcode to microcode-20210525 release 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.4): Source: microcode_ctl-2.1-22.39.el7_4.src.rpm x86_64: microcode_ctl-2.1-22.39.el7_4.x86_64.rpm microcode_ctl-debuginfo-2.1-22.39.el7_4.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.4): Source: microcode_ctl-2.1-22.39.el7_4.src.rpm x86_64: microcode_ctl-2.1-22.39.el7_4.x86_64.rpm microcode_ctl-debuginfo-2.1-22.39.el7_4.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.4): Source: microcode_ctl-2.1-22.39.el7_4.src.rpm x86_64: microcode_ctl-2.1-22.39.el7_4.x86_64.rpm microcode_ctl-debuginfo-2.1-22.39.el7_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-24489 https://access.redhat.com/security/cve/CVE-2020-24511 https://access.redhat.com/security/cve/CVE-2020-24512 https://access.redhat.com/security/cve/CVE-2020-24513 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYMAhZtzjgjWX9erEAQgacA/8CSb4gKvVxCL/UEvQ8fD+Fuk7bVgGXgdl zfHALQmqxEvgcquECA1+0gVaALewsTbv0jYGt8ar3LXlNfdYvJyTZIkkTU7QPZX4 noIGXIk9Ljn6HDzNVq4+SzQGFhsy+eCyj0ksgLD1pYvSXZhMhIFoNs88qbn4vohF NWbr/79PFDN5Z8OD6eZ62dQuU0EBgR2/zQGhqEp2A5AIGyCpoGkeMjQbcEr8MTYw re11SdeDWdXudlgn6lCeVm1NB8/oaCRih7VTaNzHMTihyG2fS6Vfy9Tf1PcXXrZT 8r21wAISxES7QfMCxBB3jnlq+/3QYFG/dYLDZ8EDwa6ZCXyFRHirUQP6vrk9TG5k xVPIFH/QUwcWFaquGbvtpllAgn1tcSohpzMzDPqLIFSO031A1Xdn6JaYaUi9unO7 wOUS5MMYTJtXjQJ/lBjMFFCEMzGZ1VY74wwdHmyoBW9eA6DnfjTHsnhTpWvLbuHw fM0+/amC1YdZkMOmKWeSNkB0ESISQw6d7/pgT1px/ZyEktGtlnvOcybPpqVVFnnT 3llMAz6CW3UL59MvAvPk9dXKSeJBfsXVVQq21VVuNi/KHSE9tsYQnBgiVizDbrru npkQK4e+JU/GxTuioDK4/QrC89S9ZTvHcfiTFhpDt8DNxJdkmjjNi87m1UWfS1rL 3CqP9OqPU7Q=cruI -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 1.71

sources: NVD: CVE-2020-24512 // VULHUB: VHN-178398 // VULMON: CVE-2020-24512 // PACKETSTORM: 169079 // PACKETSTORM: 163954 // PACKETSTORM: 163956 // PACKETSTORM: 163036 // PACKETSTORM: 163043 // PACKETSTORM: 163047 // PACKETSTORM: 163863

AFFECTED PRODUCTS

vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	netapp	model:	solidfire bios	scope:	eq	version:	-	Trust: 1.0
vendor:	netapp	model:	hci compute node bios	scope:	eq	version:	-	Trust: 1.0
vendor:	intel	model:	microcode	scope:	lt	version:	20210608	Trust: 1.0
vendor:	netapp	model:	fas\/aff bios	scope:	eq	version:	-	Trust: 1.0

sources: NVD: CVE-2020-24512

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-24512
value:	LOW
Trust: 1.0
VULHUB:	VHN-178398
value:	LOW
Trust: 0.1
VULMON:	CVE-2020-24512
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2020-24512
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-178398
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-24512
baseSeverity:	LOW
baseScore:	3.3
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	1.4
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-178398 // VULMON: CVE-2020-24512 // NVD: CVE-2020-24512

PROBLEMTYPE DATA

problemtype:

CWE-203

Trust: 1.1

sources: VULHUB: VHN-178398 // NVD: CVE-2020-24512

PATCH

title:	Red Hat: CVE-2020-24512	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2020-24512	Trust: 0.1
title:	Debian CVElist Bug Report Logs: intel-microcode: CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 CVE-2021-24489 (INTEL-SA-00464, INTEL-SA-00465, INTEL-SA-00442)	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=5d902b5a89823da316827bef43ff1012	Trust: 0.1
title:	Debian Security Advisories: DSA-4934-1 intel-microcode -- security update	url:	https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=4ad7d48e75ab61a8e061047171de2577	Trust: 0.1
title:	Arch Linux Issues:	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2020-24512 log	Trust: 0.1
title:	Arch Linux Advisories: [ASA-202106-34] intel-ucode: multiple issues	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202106-34	Trust: 0.1
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=240e27e5c8fba28153598a375a2a4130	Trust: 0.1
title:	CVE-2020-24512	url:	https://github.com/AlAIAL90/CVE-2020-24512	Trust: 0.1

sources: VULMON: CVE-2020-24512

EXTERNAL IDS

db:	NVD	id:	CVE-2020-24512	Trust: 1.9
db:	SIEMENS	id:	SSA-309571	Trust: 1.1
db:	PACKETSTORM	id:	163047	Trust: 0.2
db:	PACKETSTORM	id:	163043	Trust: 0.2
db:	PACKETSTORM	id:	163036	Trust: 0.2
db:	PACKETSTORM	id:	163037	Trust: 0.1
db:	PACKETSTORM	id:	163044	Trust: 0.1
db:	PACKETSTORM	id:	163040	Trust: 0.1
db:	PACKETSTORM	id:	163042	Trust: 0.1
db:	PACKETSTORM	id:	163031	Trust: 0.1
db:	PACKETSTORM	id:	163048	Trust: 0.1
db:	PACKETSTORM	id:	163032	Trust: 0.1
db:	PACKETSTORM	id:	163046	Trust: 0.1
db:	VULHUB	id:	VHN-178398	Trust: 0.1
db:	VULMON	id:	CVE-2020-24512	Trust: 0.1
db:	PACKETSTORM	id:	169079	Trust: 0.1
db:	PACKETSTORM	id:	163954	Trust: 0.1
db:	PACKETSTORM	id:	163956	Trust: 0.1
db:	PACKETSTORM	id:	163863	Trust: 0.1

sources: VULHUB: VHN-178398 // VULMON: CVE-2020-24512 // PACKETSTORM: 169079 // PACKETSTORM: 163954 // PACKETSTORM: 163956 // PACKETSTORM: 163036 // PACKETSTORM: 163043 // PACKETSTORM: 163047 // PACKETSTORM: 163863 // NVD: CVE-2020-24512

REFERENCES

url:	https://security.netapp.com/advisory/ntap-20210611-0005/	Trust: 1.2
url:	https://www.debian.org/security/2021/dsa-4934	Trust: 1.2
url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html	Trust: 1.2
url:	https://lists.debian.org/debian-lts-announce/2021/07/msg00022.html	Trust: 1.2
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-309571.pdf	Trust: 1.1
url:	https://access.redhat.com/security/cve/cve-2020-24512	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24511	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24512	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24489	Trust: 0.7
url:	https://access.redhat.com/security/cve/cve-2020-24511	Trust: 0.6
url:	https://access.redhat.com/articles/11258	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2020-24489	Trust: 0.6
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.6
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.6
url:	https://access.redhat.com/security/team/key/	Trust: 0.6
url:	https://access.redhat.com/security/team/contact/	Trust: 0.6
url:	https://bugzilla.redhat.com/):	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24513	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8696	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-8698	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8698	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-0549	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-0543	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-8695	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8695	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-0549	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-0543	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-8696	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-0548	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-0548	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-24513	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/203.html	Trust: 0.1
url:	https://github.com/alaial90/cve-2020-24512	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://salsa.debian.org/hmh/intel-microcode/-/blob/master/debian/readme.debian))	Trust: 0.1
url:	https://github.com/intel/intel-linux-processor-microcode-data-files/issues/56)	Trust: 0.1
url:	https://www.debian.org/security/faq	Trust: 0.1
url:	https://github.com/intel/intel-linux-processor-microcode-data-files/issues/31)	Trust: 0.1
url:	https://www.debian.org/security/	Trust: 0.1
url:	https://security-tracker.debian.org/tracker/intel-microcode	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:3323	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:3322	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2300	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2301	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2303	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:3176	Trust: 0.1

CREDITS

Red Hat

Trust: 0.6

sources: PACKETSTORM: 163954 // PACKETSTORM: 163956 // PACKETSTORM: 163036 // PACKETSTORM: 163043 // PACKETSTORM: 163047 // PACKETSTORM: 163863

SOURCES

db:	VULHUB	id:	VHN-178398
db:	VULMON	id:	CVE-2020-24512
db:	PACKETSTORM	id:	169079
db:	PACKETSTORM	id:	163954
db:	PACKETSTORM	id:	163956
db:	PACKETSTORM	id:	163036
db:	PACKETSTORM	id:	163043
db:	PACKETSTORM	id:	163047
db:	PACKETSTORM	id:	163863
db:	NVD	id:	CVE-2020-24512

LAST UPDATE DATE

2026-04-05T19:54:53.366000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-178398	date:	2021-09-09T00:00:00
db:	VULMON	id:	CVE-2020-24512	date:	2021-08-10T00:00:00
db:	NVD	id:	CVE-2020-24512	date:	2021-09-09T12:56:22.933

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-178398	date:	2021-06-09T00:00:00
db:	VULMON	id:	CVE-2020-24512	date:	2021-06-09T00:00:00
db:	PACKETSTORM	id:	169079	date:	2021-06-28T19:12:00
db:	PACKETSTORM	id:	163954	date:	2021-08-31T15:43:48
db:	PACKETSTORM	id:	163956	date:	2021-08-31T15:44:21
db:	PACKETSTORM	id:	163036	date:	2021-06-09T13:28:02
db:	PACKETSTORM	id:	163043	date:	2021-06-09T13:40:40
db:	PACKETSTORM	id:	163047	date:	2021-06-09T13:42:12
db:	PACKETSTORM	id:	163863	date:	2021-08-17T15:19:34
db:	NVD	id:	CVE-2020-24512	date:	2021-06-09T19:15:08.930