[Bug 2100005] Re: intel-microcode 3.20250211.0ubuntu0.22.04.1 may be incomplete

Wed Feb 26 00:24:34 UTC 2025

Unfortunately the documentation from Intel has been unclear on these
vulnerabilities - when preparing this update I was under the impression
that there was a microcode update which mitigates parts of
CVE-2024-39279 on some platforms - but I believe the actual fix for this
requires a BIOS update. Due to the incomplete documentation from Intel
(in particular the upstream release for this
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-
Files/releases/tag/microcode-20250211 calls out INTEL-SA-01139 - so I
tried to map this against the contents of the microcode files but it is
entirely possible I made some mistakes here.

I have checked and I have not left out anything in the Ubuntu package
compared to what was released upstream so I do not believe there is any
bug here or issue. As such, I will mark this as public and close it, but
feel free to let me know if you think there is anything still amiss and
I will do my best to address it. Thanks.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-39279

** Information type changed from Private Security to Public Security

** Changed in: intel-microcode (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to intel-microcode in Ubuntu.
https://bugs.launchpad.net/bugs/2100005

Title:
  intel-microcode 3.20250211.0ubuntu0.22.04.1 may be incomplete

Status in intel-microcode package in Ubuntu:
  Invalid

Bug description:
  USN-7269-1: Intel Microcode vulnerabilities claims to address three
  different CVEs, each for a different Intel advisory:

      CVE-2024-36293 intel-sa-01213.html
      CVE-2024-39279 intel-sa-01139.html
      CVE-2024-31068 intel-sa-01166.html

  According to Intel's notice, 01139 affects CPUs with IDs 50657 and
  906E9 (among others).  We have systems with each of those IDs, but
  installing intel-microcode 3.20250211.0ubuntu0.22.04.1 and rebooting
  leaves the microcode version number unchanged.

  I fetched previous package version 20241112, unpacked the files,
  compared the files, and discovered that the files in
  /lib/firmware/intel-ucode for those two CPU IDs (06-55-07 for 50657,
  06-9e-09 for 906E9) were the same.  So the version number didn't
  increment because there is in fact no new microcode for those CPU IDs.

  For 906E9 this is fair enough: that ID reached its Intel EOSL on
  2024-03-31, so Intel no longer promises updates.  But is still
  supported until 2025-06-30, so there should be an update for that ID.
  (I am getting this info from
  https://www.intel.com/content/www/us/en/support/articles/000022396/processors.html,
  which we have learned to check periodically.)

  There are other CPU IDs affected by 01139 that did get updates, but
  each of them is also affected by at least one of the other two
  advisories addressed by the 20259211 firmware package.

  Were the updates for 01139 somehow left out?

  Thanks.

  I am marking this as a security vulnerability because it is about a
  USN.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/2100005/+subscriptions