Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.04 / 25.10 : Intel Microcode vulnerabilities (USN-7866-1)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-7866-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(274751);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/11");

  script_cve_id(
    "CVE-2025-20053",
    "CVE-2025-20109",
    "CVE-2025-21090",
    "CVE-2025-22839",
    "CVE-2025-22840",
    "CVE-2025-22889",
    "CVE-2025-24305",
    "CVE-2025-26403",
    "CVE-2025-32086"
  );
  script_xref(name:"USN", value:"7866-1");

  script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.04 / 25.10 : Intel Microcode vulnerabilities (USN-7866-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.04 / 25.10 host has a package installed
that is affected by multiple vulnerabilities as referenced in the USN-7866-1 advisory.

    Barak Gross discovered that some Intel Xeon processors with SGX enabled did not properly handle buffer
    restrictions. A local authenticated user could potentially use this issue to escalate their privileges.
    (CVE-2025-20053)

    Avinash Maddy discovered that some Intel processors did not properly isolate or compartmentalize the
    stream cache mechanisms. A local authenticated user could potentially use this issue to escalate their
    privileges. (CVE-2025-20109)

    Joseph Nuzman discovered that some Intel Xeon processors did not properly manage references to active
    allocate resources. A local authenticated user could potentially use this issue to cause a denial of
    service (system crash). (CVE-2025-21090)

    It was discovered that some Intel Xeon 6 processors did not properly provide sufficient granularity of
    access control in the out of band management service module (OOB-MSM). An authenticated user could
    potentially use this issue to escalate their privileges. (CVE-2025-22839)

    It was discovered that some Intel Xeon 6 Scalable processors did not properly handle a specific
    sequence of processor instructions, leading to unexpected behavior. A local authenticated user could
    potentially use this issue to escalate their privileges. (CVE-2025-22840)

    Joseph Nuzman discovered that some Intel Xeon 6 processors with Intel Trust Domain Extensions
    (Intel TDX) did not properly handle overlap between protected memory ranges. A local authenticated user
    could potentially use this issue to escalate their privileges. (CVE-2025-22889)

    Avraham Shalev discovered that some Intel Xeon processors did not properly provide sufficient control
    flow management in the Alias Checking Trusted Module (ACTM) firmware. A local authenticated user could
    potentially use this issue to escalate their privileges. (CVE-2025-24305)

    Aviv Eisen and Avraham Shalev discovered that some Intel Xeon 6 processors when using Intel SGX or
    Intel TDX did not properly protect against out-of-bounds writes in the memory subsystem. A local
    authenticated user could potentially use this issue to escalate their privileges. (CVE-2025-26403)

    Aviv Eisen and Avraham Shalev discovered that some Intel Xeon 6 processors when using Intel SGX or
    Intel TDX did not properly implement security checks in the DDRIO configuration. A local authenticated
    user could potentially use this issue to escalate their privileges. (CVE-2025-32086)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-7866-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected intel-microcode package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-20109");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-22889");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2025-22839");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/08/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:intel-microcode");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2025 Canonical, Inc. / NASL script (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "ubuntu_pro_sub_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release || '20.04' >< os_release || '22.04' >< os_release || '24.04' >< os_release || '25.04' >< os_release || '25.10' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04 / 22.04 / 24.04 / 25.04 / 25.10', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var ubuntu_pro_detected = get_kb_item('Host/Ubuntu/Pro/Services/esm-apps');
ubuntu_pro_detected = !empty_or_null(ubuntu_pro_detected);

var pro_caveat_needed = FALSE;

var pkgs = [
    {'osver': '16.04', 'pkgname': 'intel-microcode', 'pkgver': '3.20250812.0ubuntu0.16.04.1+esm1', 'ubuntu_pro': TRUE},
    {'osver': '18.04', 'pkgname': 'intel-microcode', 'pkgver': '3.20250812.0ubuntu0.18.04.1+esm1', 'ubuntu_pro': TRUE},
    {'osver': '20.04', 'pkgname': 'intel-microcode', 'pkgver': '3.20250812.0ubuntu0.20.04.1+esm1', 'ubuntu_pro': TRUE},
    {'osver': '22.04', 'pkgname': 'intel-microcode', 'pkgver': '3.20250812.0ubuntu0.22.04.1', 'ubuntu_pro': FALSE},
    {'osver': '24.04', 'pkgname': 'intel-microcode', 'pkgver': '3.20250812.0ubuntu0.24.04.1', 'ubuntu_pro': FALSE},
    {'osver': '25.04', 'pkgname': 'intel-microcode', 'pkgver': '3.20250812.0ubuntu0.25.04.1', 'ubuntu_pro': FALSE},
    {'osver': '25.10', 'pkgname': 'intel-microcode', 'pkgver': '3.20250812.0ubuntu0.25.10.1', 'ubuntu_pro': FALSE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  var pro_required = NULL;
  if (!empty_or_null(package_array['ubuntu_pro'])) pro_required = package_array['ubuntu_pro'];
  if (osver && pkgname && pkgver) {
    if (deb_check(release:osver, prefix:pkgname, reference:pkgver, cves:cves)) {
        flag++;
        if (!ubuntu_pro_detected && !pro_caveat_needed) pro_caveat_needed = pro_required;
    }
  }
}

if (flag)
{
  var extra = '';
  if (pro_caveat_needed) {
    extra += 'NOTE: This vulnerability check contains fixes that apply to packages only \n';
    extra += 'available in Ubuntu ESM repositories. Access to these package security updates \n';
    extra += 'require an Ubuntu Pro subscription.\n\n';
  }
  extra += ubuntu_report_get();
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : extra
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'intel-microcode');
}