Bug 1192953 – VUL-0: CVE-2021-0071: kernel-firmware: Improper input validation in firmware for some Intel(R) PROSet/Wireless WiFi in UEFI

Bug 1192953 - (CVE-2021-0071) VUL-0: CVE-2021-0071: kernel-firmware: Improper input validation in firmware for some Intel(R) PROSet/Wireless WiFi in UEFI

(CVE-2021-0071)
Summary:	VUL-0: CVE-2021-0071: kernel-firmware: Improper input validation in firmware ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/315223/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-0071:6.8:(AV:A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-11-22 15:59 UTC by Thomas Leroy
Modified:	2022-06-09 09:27 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2021-11-22 15:59:07 UTC

CVE-2021-0071

Improper input validation in firmware for some Intel(R) PROSet/Wireless WiFi in
UEFI may allow an unauthenticated user to potentially enable escalation of
privilege via adjacent access.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0071
http://www.cvedetails.com/cve/CVE-2021-0071/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00509.html

Comment 1 Thomas Leroy 2021-11-22 15:59:53 UTC

Marcus, do you have any clue about this issue?

Comment 2 Marcus Meissner 2021-11-22 16:08:11 UTC

this firmware would be in kernel-firmware ... -> takashi

Comment 3 Takashi Iwai 2021-11-29 16:00:28 UTC

Details please: which firmware file and version has to be replaced, etc.

Comment 4 Thomas Leroy 2021-11-30 14:00:40 UTC

According to Intel, the list of affected firmware is:

Intel® PROSet/Wireless WiFi products:
Intel® Wi-Fi 6E AX210
Intel® Wi-Fi 6 AX201
Intel® Wi-Fi 6 AX200
Intel® Wireless-AC 9560
Intel® Wireless-AC 9462
Intel® Wireless-AC 9461
Intel® Wireless-AC 9260
Intel® Dual Band Wireless-AC 8265
Intel® Dual Band Wireless-AC 8260
Intel® Dual Band Wireless-AC 3168
Intel® Wireless 7265 (Rev D) Family
Intel® Dual Band Wireless-AC 3165

Killer™ WiFi products:
Killer™ Wi-Fi 6E AX1675       
Killer™ Wi-Fi 6 AX1650
Killer™ Wireless-AC 1550


After further investigations, I found that iwlwifi firmware are impacted.
I found in kernel-firmware that we seem to ship:
- iwlwifi-9260
- iwlwifi-8265
- iwlwifi-3168
- iwlwifi-7265
- iwlwifi-7265D

For the other products, it seems that they are not contained in kernel-firmware.

Now, for the vulnerable versions, it would be hard to find the precise range of affected Intel wifi firmware. But according to Intel, updated versions of the firmware were streamed on August 10th, 2021. Therefore, it would be logical that every version of linux-firmware after this date is patched.

Comment 5 Takashi Iwai 2021-11-30 14:16:16 UTC

Well, the suggested date and the commit date in linux-firmware git tree don't match exactly, so it's difficult to judge.

The 8000 and older families seem to have received the update in commit in March 10,
56115b259807e0417f30ef84bc6d2093572e6901
    iwlwifi: update 8000 family firmwares
etc.  If the fix is recent and already included in linux-firmware git tree, those must correspond.

The 9000 series got a more update in Nov 1
564d97abfa7d0071c47be16e7b691fdc7c6cf22b
    iwlwifi: update 9000-family firmwares to core64-96

Comment 6 Takashi Iwai 2021-11-30 14:22:34 UTC

Adding Marc and Pragyan to Cc for more information.

Pragyan, could you ask whether the suggested fixes have been really upstreamed to linux-firmware git tree, and inform exactly which commits?

Comment 7 Takashi Iwai 2022-02-24 15:57:42 UTC

I pushed the updates for iwlwifi firmware for bsc#1196333, and this should cover this well.

Reassigned back to security team.

Comment 8 Gianluca Gabrielli 2022-02-28 10:58:58 UTC

(In reply to Takashi Iwai from comment #7)
> I pushed the updates for iwlwifi firmware for bsc#1196333, and this should
> cover this well.

In this case could you also mention this CVE/bsc in the change files?

Comment 9 Takashi Iwai 2022-02-28 13:58:10 UTC

(In reply to Gianluca Gabrielli from comment #8)
> (In reply to Takashi Iwai from comment #7)
> > I pushed the updates for iwlwifi firmware for bsc#1196333, and this should
> > cover this well.
> 
> In this case could you also mention this CVE/bsc in the change files?

Done, resubmitted.

Comment 12 Swamp Workflow Management 2022-03-31 13:20:03 UTC

SUSE-SU-2022:1065-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 1186938,1188662,1192953,1195786,1196333
CVE References: CVE-2021-0066,CVE-2021-0071,CVE-2021-0072,CVE-2021-0076,CVE-2021-0161,CVE-2021-0164,CVE-2021-0165,CVE-2021-0166,CVE-2021-0168,CVE-2021-0170,CVE-2021-0172,CVE-2021-0173,CVE-2021-0174,CVE-2021-0175,CVE-2021-0176,CVE-2021-0183,CVE-2021-33139,CVE-2021-33155
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-firmware-20210208-150300.4.7.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-firmware-20210208-150300.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2022-03-31 13:22:02 UTC

openSUSE-SU-2022:1065-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 1186938,1188662,1192953,1195786,1196333
CVE References: CVE-2021-0066,CVE-2021-0071,CVE-2021-0072,CVE-2021-0076,CVE-2021-0161,CVE-2021-0164,CVE-2021-0165,CVE-2021-0166,CVE-2021-0168,CVE-2021-0170,CVE-2021-0172,CVE-2021-0173,CVE-2021-0174,CVE-2021-0175,CVE-2021-0176,CVE-2021-0183,CVE-2021-33139,CVE-2021-33155
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-firmware-20210208-150300.4.7.1

Comment 15 Swamp Workflow Management 2022-05-19 19:21:33 UTC

SUSE-SU-2022:1751-1: An update that fixes 18 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1192953,1195786,1199459,1199470
CVE References: CVE-2021-0071,CVE-2021-26312,CVE-2021-26339,CVE-2021-26342,CVE-2021-26347,CVE-2021-26348,CVE-2021-26349,CVE-2021-26350,CVE-2021-26364,CVE-2021-26372,CVE-2021-26373,CVE-2021-26375,CVE-2021-26376,CVE-2021-26378,CVE-2021-26388,CVE-2021-33139,CVE-2021-33155,CVE-2021-46744
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Manager Retail Branch Server 4.1 (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Manager Proxy 4.1 (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Enterprise Storage 7 (src):    kernel-firmware-20200107-150100.3.31.1
SUSE Enterprise Storage 6 (src):    kernel-firmware-20200107-150100.3.31.1
SUSE CaaS Platform 4.0 (src):    kernel-firmware-20200107-150100.3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Carlos López 2022-06-09 09:27:59 UTC

Done, closing.