Synopsis
The remote Debian host is missing one or more security-related updates.
Description
The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3537 advisory.
- ----------------------------------------------------------------------- Debian LTS Advisory DLA-3537-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta August 22, 2023 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : intel-microcode Version : 3.20230808.1~deb10u1 CVE ID : CVE-2022-40982 CVE-2022-41804 CVE-2023-23908 Debian Bug : 1043305
This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities.
CVE-2022-40982
Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware vulnerability which allows unprivileged speculative access to data which was previously stored in vector registers.
For details please refer to https://downfall.page/ and https://www.intel.com/content/www/us/en/developer/articles/technical/software-security- guidance/technical-documentation/gather-data-sampling.html.
CVE-2022-41804
Unauthorized error injection in Intel SGX or Intel TDX for some Intel Xeon Processors which may allow a local user to potentially escalate privileges.
CVE-2023-23908
Improper access control in some 3rd Generation Intel Xeon Scalable processors may result in an information leak.
For Debian 10 buster, these problems have been fixed in version 3.20230808.1~deb10u1.
We recommend that you upgrade your intel-microcode packages.
For the detailed security status of intel-microcode please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Tenable has extracted the preceding description block directly from the Debian security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the intel-microcode packages.
Plugin Details
File Name: debian_DLA-3537.nasl
Agent: unix
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
Risk Information
Vector: CVSS2#AV:L/AC:L/Au:M/C:C/I:C/A:C
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:intel-microcode
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: Exploits are available
Patch Publication Date: 8/22/2023
Vulnerability Publication Date: 8/3/2023