CVE-2024-21820: 
Linux Debian vulnerability analysis and mitigation

Incorrect default permissions in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX were discovered, potentially affecting system security. The vulnerability, identified as CVE-2024-21820, was discovered by Avraham Shalev and Nagaraju N Kodalapura and publicly disclosed on November 13, 2024. This security flaw specifically affects Intel Xeon processors utilizing Intel SGX technology (Ubuntu Security).

The vulnerability stems from improper access restrictions to the memory controller when using Intel SGX. It has received a CVSS 4.0 Base Score of 8.5 (HIGH) with vector CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N, and a CVSS 3.1 Base Score of 7.2 (HIGH) with vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N. The vulnerability is classified under CWE-276 (Incorrect Default Permissions) (NVD).

The vulnerability could allow a privileged user to potentially enable escalation of privilege via local access. This means that an attacker who already has privileged access to the system could potentially further escalate their privileges, potentially gaining additional unauthorized access to system resources (CVE).

Intel has released microcode updates to address this vulnerability. Ubuntu has released fixes across multiple versions including 24.10, 24.04 LTS, 22.04 LTS, 20.04 LTS, and 18.04 LTS. For Ubuntu Pro users, fixes are available via ESM Infra for 16.04 LTS and 14.04 LTS versions (Ubuntu Security).