CVE-2020-24489
Published: 8 June 2021
Incomplete cleanup in some Intel(R) VT-d products may allow an authenticated user to potentially enable escalation of privilege via local access.
From the Ubuntu Security Team
It was discovered that some Intel processors may not properly invalidate cache entries used by Intel Virtualization Technology for Directed I/O (VT-d). This may allow a local user to perform a privilege escalation attack.
Notes
Author | Note |
---|---|
sbeattie | INTEL-TA-00442 does not appear to be kernel/qemu aspect to this issue |
Priority
Status
Package | Release | Status |
---|---|---|
intel-microcode Launchpad, Ubuntu, Debian |
groovy |
Released
(3.20210608.0ubuntu0.20.10.1)
|
hirsute |
Released
(3.20210608.0ubuntu0.21.04.1)
|
|
upstream |
Needs triage
|
|
bionic |
Released
(3.20210608.0ubuntu0.18.04.1)
|
|
focal |
Released
(3.20210608.0ubuntu0.20.04.1)
|
|
impish |
Released
(3.20210608.0ubuntu1)
|
|
jammy |
Released
(3.20210608.0ubuntu1)
|
|
trusty |
Released
(3.20210608.0ubuntu0.14.04.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
xenial |
Released
(3.20210608.0ubuntu0.16.04.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Changed |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24489
- https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20210608
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00442.html
- https://ubuntu.com/security/notices/USN-4985-1
- NVD
- Launchpad
- Debian