CVE-2022-24436 - OpenCVE

Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Intel	*

Configuration 1 [-]

cpe:2.3:h:intel:*:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2022-24436
https://security.netapp.com/advisory/ntap-20220624-0007/
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1038
https://www.cve.org/CVERecord?id=CVE-2022-24436
https://www.hertzbleed.com/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00698.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: intel

Published: 2022-06-15T20:08:51

Updated: 2024-08-03T04:13:55.437Z

Reserved: 2022-02-18T00:00:00

Link: CVE-2022-24436

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-06-15T21:15:09.293

Modified: 2022-06-28T15:05:29.613

Link: CVE-2022-24436

Redhat

Severity : Moderate

Publid Date: 2022-06-14T00:00:00Z

Links: CVE-2022-24436 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Intel(R) Processors", "vendor": "n/a", "versions": [{"status": "affected", "version": "See references"}]}], "descriptions": [{"lang": "en", "value": "Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access."}], "problemTypes": [{"descriptions": [{"description": " information disclosure ", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-06-24T15:06:34", "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "shortName": "intel"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00698.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220624-0007/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@intel.com", "ID": "CVE-2022-24436", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Intel(R) Processors", "version": {"version_data": [{"version_value": "See references"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": " information disclosure "}]}]}, "references": {"reference_data": [{"name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00698.html", "refsource": "MISC", "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00698.html"}, {"name": "https://security.netapp.com/advisory/ntap-20220624-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220624-0007/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:13:55.437Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00698.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220624-0007/"}]}]}, "cveMetadata": {"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "assignerShortName": "intel", "cveId": "CVE-2022-24436", "datePublished": "2022-06-15T20:08:51", "dateReserved": "2022-02-18T00:00:00", "dateUpdated": "2024-08-03T04:13:55.437Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:intel:*:*:*:*:*:*:*:*:*", "matchCriteriaId": "89CBE93C-BB36-4F26-9F73-554C9BB8E131", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access."}, {"lang": "es", "value": "Un comportamiento observable en la regulaci\u00f3n de la administraci\u00f3n de la energ\u00eda para algunos procesadores Intel(R) puede permitir que un usuario autenticado permita potencialmente una divulgaci\u00f3n de informaci\u00f3n por medio del acceso a la red"}], "id": "CVE-2022-24436", "lastModified": "2022-06-28T15:05:29.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-15T21:15:09.293", "references": [{"source": "secure@intel.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220624-0007/"}, {"source": "secure@intel.com", "tags": ["Vendor Advisory"], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00698.html"}], "sourceIdentifier": "secure@intel.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Christopher Fletcher (University of Illinois Urbana-Champaign), David Kohlbrenner (University of Washington), Elizabeth Tang He (University of Illinois Urbana-Champaign), Hovav Shacham (University of Texas at Austin), Riccardo Paccagnella (University of Illinois Urbana-Champaign), and Yingchen Wang (University of Texas at Austin) for reporting this issue.", "bugzilla": {"description": "hw: cpu: cryptographic leaks via frequency scaling attacks(Intel)", "id": "2097184", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097184"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-1240", "details": ["Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.", "A potential vulnerability in some Intel\u00ae processors using frequency scaling may allow an authenticated attacker to execute a timing attack to potentially enable information disclosure."], "mitigation": {"lang": "en:us", "value": "Currently, there is no mitigation for this flaw. Intel has provided some guidance to developers of Cryptographic software to harden their libraries and applications against Hertzbleed. More information is available in the official Intel and AMD security advisories linked at the bottom of this document.\nA workload-independent workaround to mitigate Hertzbleed is to disable frequency boost. However, this is not recommended since it will significantly affect performance.\nReference:\nhttps://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/frequency-throttling-side-channel-guidance.html"}, "name": "CVE-2022-24436", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Not affected", "package_name": "redhat-virtualization-host", "product_name": "Red Hat Virtualization 4"}], "public_date": "2022-06-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-24436\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24436\nhttps://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1038\nhttps://www.hertzbleed.com/\nhttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00698.html"], "threat_severity": "Moderate"}