Bug 1196333

Summary: VUL-0: kernel-firmware: multiple vulnerabilities in Wi-Fi firmware (INTEL-SA-00539,INTEL-SA-00582)
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/323351/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-0066:8.4:(AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2021-0072:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVSSv3.1:SUSE:CVE-2021-0076:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-0161:6.7:(AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2021-0164:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2021-0165:6.5:(AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-0166:6.7:(AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2021-0168:6.7:(AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2021-0170:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVSSv3.1:SUSE:CVE-2021-0172:6.5:(AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-0173:6.5:(AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-0174:6.5:(AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-0175:6.5:(AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-0176:4.4:(AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-0183:6.5:(AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-33113:8.1:(AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) CVSSv3.1:SUSE:CVE-2021-33114:5.7:(AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2022-02-23 09:56:13 UTC
INTEL-SA-00539

CVEID:  CVE-2021-0161
Description: Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID:  CVE-2021-0164
Description: Improper access control in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable  escalation of privilege via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CVEID:  CVE-2021-0165
Description: Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-0066
Description: Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.2 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVEID:  CVE-2021-0166
Description: Exposure of Sensitive Information to an Unauthorized Actor in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.1 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N

CVEID:  CVE-2021-0168
Description: Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 5.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

CVEID:  CVE-2021-0170
Description: Exposure of Sensitive Information to an Unauthorized Actor in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow an authenticated user to potentially enable information disclosure via local access.
CVSS Base Score: 5.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVEID:  CVE-2021-0172
Description: Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-0173
Description: Improper Validation of Consistency within input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-0174
Description:  Improper Use of Validation Framework in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-0175
Description:  Improper Validation of Specified Index, Position, or Offset in Input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-0076
Description:  Improper Validation of Specified Index, Position, or Offset in Input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable denial of service via local access.
CVSS Base Score: 5.1 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

CVEID:  CVE-2021-0176
Description: Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable denial of service via local access.
CVSS Base Score: 5.1 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

CVEID:  CVE-2021-0183
Description:  Improper Validation of Specified Index, Position, or Offset in Input in software for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 4.7 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVEID:  CVE-2021-0072
Description: Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 4.1 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected Products:

Intel® PROSet/Wireless Wi-Fi products:
    Intel® Wi-Fi 6E AX210
    Intel® Wi-Fi 6 AX201
    Intel® Wi-Fi 6 AX200
    Intel® Wireless-AC 9560
    Intel® Wireless-AC 9462
    Intel® Wireless-AC 9461
    Intel® Wireless-AC 9260
    Intel® Dual Band Wireless-AC 8265
    Intel® Dual Band Wireless-AC 8260
    Intel® Dual Band Wireless-AC 3168
    Intel® Wireless 7265 (Rev D) Family
    Intel® Dual Band Wireless-AC 3165

Intel® AMT Wireless products:
    Intel® Wi-Fi 6 AX210
    Intel® Wi-Fi 6 AX201
    Intel® Wi-Fi 6 AX200
    Intel® Wireless-AC 9560
    Intel® Wireless-AC 9260
    Intel® Dual Band Wireless-AC 8265
    Intel® Dual Band Wireless-AC 8260
Comment 1 Carlos López 2022-02-23 09:57:21 UTC
I omitted issues affecting only Windows from the first comment.

It looks like these got fixed in the November update:
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=7db04787b4d62fc96e6b305229af4221cd89ee0b
Comment 2 Takashi Iwai 2022-02-23 10:13:06 UTC
I guess it's the very same update mentioned in bug 1195786.

Which CVE entries are interesting for us at all?  I'm going to submit the update with the listed CVEs for both bugzilla entries.
Comment 3 Carlos López 2022-02-23 10:16:55 UTC
(In reply to Takashi Iwai from comment #2)
> I guess it's the very same update mentioned in bug 1195786.

Well, this one is for Wi-Fi firmware and that one was for Bluetooth, they are addressed through different binary blobs.

> Which CVE entries are interesting for us at all?  I'm going to submit the
> update with the listed CVEs for both bugzilla entries.

All of the ones I listed above affect Linux according to Intel.
Comment 4 Takashi Iwai 2022-02-23 10:24:09 UTC
I see.

AFAIK, the only relevant updates for this would be only SLE15-SP3:Update.  The older kernels don't use those firmwaware at all, and SLE15-SP4 already contains the updated firmware.
Comment 5 Carlos López 2022-02-23 11:06:24 UTC
(In reply to Takashi Iwai from comment #4)
> AFAIK, the only relevant updates for this would be only SLE15-SP3:Update. 
> The older kernels don't use those firmwaware at all, and SLE15-SP4 already
> contains the updated firmware.

Correct me if I'm wrong, but we require updates for the 9000 and 9200 blobs in older codestreams, right? The fixed version for both is 46.5e069cbd.0.

SUSE:SLE-12-SP4:Update/kernel-firmware:
	WHENCE:1021:File: iwlwifi-9000-pu-b0-jf-b0-46.ucode
	WHENCE-1022-Version: 46.3cfab8da.0
	WHENCE:1039:File: iwlwifi-9260-th-b0-jf-b0-46.ucode
	WHENCE-1040-Version: 46.3cfab8da.0

SUSE:SLE-15:Update/kernel-firmware
	WHENCE:1029:File: iwlwifi-9000-pu-b0-jf-b0-46.ucode
	WHENCE-1030-Version: 46.6bf1df06.0
	WHENCE:1047:File: iwlwifi-9260-th-b0-jf-b0-46.ucode
	WHENCE-1048-Version: 46.6bf1df06.0

SUSE:SLE-15-SP1:Update/kernel-firmware
	WHENCE:1029:File: iwlwifi-9000-pu-b0-jf-b0-46.ucode
	WHENCE-1030-Version: 46.6bf1df06.0
	WHENCE:1047:File: iwlwifi-9260-th-b0-jf-b0-46.ucode
	WHENCE-1048-Version: 46.6bf1df06.0

SUSE:SLE-15-SP3:Update/kernel-firmware
	WHENCE:1029:File: iwlwifi-9000-pu-b0-jf-b0-46.ucode
	WHENCE-1030-Version: 46.4d093a30.0
	WHENCE:1047:File: iwlwifi-9260-th-b0-jf-b0-46.ucode
	WHENCE-1048-Version: 46.4d093a30.0

SUSE:SLE-15-SP4:Update/kernel-firmware
	WHENCE:1029:File: iwlwifi-9000-pu-b0-jf-b0-46.ucode
	WHENCE-1030-Version: 46.4e1ceb39.0
	WHENCE:1047:File: iwlwifi-9260-th-b0-jf-b0-46.ucode
	WHENCE-1048-Version: 46.4e1ceb39.0
Comment 6 Takashi Iwai 2022-02-23 11:21:18 UTC
The actual use of those *-46.ucode are from SLE15-SP2 kernels although kernel-firmware packages already contained the files in older releases.  So, SLE15-SP1:Update would be needed for covering SLE15-SP2-LTSS, too.
Comment 7 Carlos López 2022-02-23 11:30:32 UTC
Thank your very much for the clarification Takashi. Tracking the following as affected:
 - SUSE:SLE-15-SP1:Update (for SLE15-SP2-LTSS)
 - SUSE:SLE-15-SP3:Update
 - SUSE:SLE-15-SP4:Update
Comment 8 Takashi Iwai 2022-02-23 11:49:42 UTC
SLE15-SP4 already contains the updated firmware.
Comment 9 Carlos López 2022-02-23 11:51:10 UTC
(In reply to Takashi Iwai from comment #8)
> SLE15-SP4 already contains the updated firmware.

True, thanks :)
Comment 11 Takashi Iwai 2022-02-24 15:53:47 UTC
Submitted to both branches.  Reassigned back to security team.
Comment 12 Carlos López 2022-02-28 09:17:17 UTC
This update also fixes CVE-2021-33113 and CVE-2021-33114 (INTEL-SA-00582).
Comment 14 Swamp Workflow Management 2022-03-04 14:28:05 UTC
SUSE-SU-2022:0721-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1195786,1196333
CVE References: CVE-2021-0066,CVE-2021-0072,CVE-2021-0076,CVE-2021-0161,CVE-2021-0164,CVE-2021-0165,CVE-2021-0166,CVE-2021-0168,CVE-2021-0170,CVE-2021-0172,CVE-2021-0173,CVE-2021-0174,CVE-2021-0175,CVE-2021-0176,CVE-2021-0183,CVE-2021-33139,CVE-2021-33155
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    kernel-firmware-20200107-3.26.1
SUSE Manager Retail Branch Server 4.1 (src):    kernel-firmware-20200107-3.26.1
SUSE Manager Proxy 4.1 (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Micro 5.0 (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    kernel-firmware-20200107-3.26.1
SUSE Enterprise Storage 7 (src):    kernel-firmware-20200107-3.26.1
SUSE Enterprise Storage 6 (src):    kernel-firmware-20200107-3.26.1
SUSE CaaS Platform 4.0 (src):    kernel-firmware-20200107-3.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2022-03-31 13:20:13 UTC
SUSE-SU-2022:1065-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 1186938,1188662,1192953,1195786,1196333
CVE References: CVE-2021-0066,CVE-2021-0071,CVE-2021-0072,CVE-2021-0076,CVE-2021-0161,CVE-2021-0164,CVE-2021-0165,CVE-2021-0166,CVE-2021-0168,CVE-2021-0170,CVE-2021-0172,CVE-2021-0173,CVE-2021-0174,CVE-2021-0175,CVE-2021-0176,CVE-2021-0183,CVE-2021-33139,CVE-2021-33155
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-firmware-20210208-150300.4.7.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-firmware-20210208-150300.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2022-03-31 13:22:12 UTC
openSUSE-SU-2022:1065-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 1186938,1188662,1192953,1195786,1196333
CVE References: CVE-2021-0066,CVE-2021-0071,CVE-2021-0072,CVE-2021-0076,CVE-2021-0161,CVE-2021-0164,CVE-2021-0165,CVE-2021-0166,CVE-2021-0168,CVE-2021-0170,CVE-2021-0172,CVE-2021-0173,CVE-2021-0174,CVE-2021-0175,CVE-2021-0176,CVE-2021-0183,CVE-2021-33139,CVE-2021-33155
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-firmware-20210208-150300.4.7.1
Comment 19 Carlos López 2022-06-08 13:34:16 UTC
Done, closing.