Bug 1196333 – VUL-0: kernel-firmware: multiple vulnerabilities in Wi-Fi firmware (INTEL-SA-00539,INTEL-SA-00582)

Bug 1196333 - VUL-0: kernel-firmware: multiple vulnerabilities in Wi-Fi firmware (INTEL-SA-00539,INTEL-SA-00582)


Summary:	VUL-0: kernel-firmware: multiple vulnerabilities in Wi-Fi firmware (INTEL-SA-...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/323351/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-0066:8.4:(AV:L...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-02-23 09:56 UTC by Carlos López
Modified:	2022-06-08 13:34 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-02-23 09:56:13 UTC

INTEL-SA-00539

CVEID:  CVE-2021-0161
Description: Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID:  CVE-2021-0164
Description: Improper access control in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable  escalation of privilege via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CVEID:  CVE-2021-0165
Description: Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-0066
Description: Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.2 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVEID:  CVE-2021-0166
Description: Exposure of Sensitive Information to an Unauthorized Actor in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.1 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N

CVEID:  CVE-2021-0168
Description: Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 5.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

CVEID:  CVE-2021-0170
Description: Exposure of Sensitive Information to an Unauthorized Actor in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow an authenticated user to potentially enable information disclosure via local access.
CVSS Base Score: 5.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVEID:  CVE-2021-0172
Description: Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-0173
Description: Improper Validation of Consistency within input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-0174
Description:  Improper Use of Validation Framework in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-0175
Description:  Improper Validation of Specified Index, Position, or Offset in Input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-0076
Description:  Improper Validation of Specified Index, Position, or Offset in Input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable denial of service via local access.
CVSS Base Score: 5.1 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

CVEID:  CVE-2021-0176
Description: Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable denial of service via local access.
CVSS Base Score: 5.1 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

CVEID:  CVE-2021-0183
Description:  Improper Validation of Specified Index, Position, or Offset in Input in software for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 4.7 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVEID:  CVE-2021-0072
Description: Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 & 11 may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 4.1 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected Products:

Intel® PROSet/Wireless Wi-Fi products:
    Intel® Wi-Fi 6E AX210
    Intel® Wi-Fi 6 AX201
    Intel® Wi-Fi 6 AX200
    Intel® Wireless-AC 9560
    Intel® Wireless-AC 9462
    Intel® Wireless-AC 9461
    Intel® Wireless-AC 9260
    Intel® Dual Band Wireless-AC 8265
    Intel® Dual Band Wireless-AC 8260
    Intel® Dual Band Wireless-AC 3168
    Intel® Wireless 7265 (Rev D) Family
    Intel® Dual Band Wireless-AC 3165

Intel® AMT Wireless products:
    Intel® Wi-Fi 6 AX210
    Intel® Wi-Fi 6 AX201
    Intel® Wi-Fi 6 AX200
    Intel® Wireless-AC 9560
    Intel® Wireless-AC 9260
    Intel® Dual Band Wireless-AC 8265
    Intel® Dual Band Wireless-AC 8260

Comment 1 Carlos López 2022-02-23 09:57:21 UTC

I omitted issues affecting only Windows from the first comment.

It looks like these got fixed in the November update:
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=7db04787b4d62fc96e6b305229af4221cd89ee0b

Comment 2 Takashi Iwai 2022-02-23 10:13:06 UTC

I guess it's the very same update mentioned in bug 1195786.

Which CVE entries are interesting for us at all?  I'm going to submit the update with the listed CVEs for both bugzilla entries.

Comment 3 Carlos López 2022-02-23 10:16:55 UTC

(In reply to Takashi Iwai from comment #2)
> I guess it's the very same update mentioned in bug 1195786.

Well, this one is for Wi-Fi firmware and that one was for Bluetooth, they are addressed through different binary blobs.

> Which CVE entries are interesting for us at all?  I'm going to submit the
> update with the listed CVEs for both bugzilla entries.

All of the ones I listed above affect Linux according to Intel.

Comment 4 Takashi Iwai 2022-02-23 10:24:09 UTC

I see.

AFAIK, the only relevant updates for this would be only SLE15-SP3:Update.  The older kernels don't use those firmwaware at all, and SLE15-SP4 already contains the updated firmware.

Comment 5 Carlos López 2022-02-23 11:06:24 UTC

(In reply to Takashi Iwai from comment #4)
> AFAIK, the only relevant updates for this would be only SLE15-SP3:Update. 
> The older kernels don't use those firmwaware at all, and SLE15-SP4 already
> contains the updated firmware.

Correct me if I'm wrong, but we require updates for the 9000 and 9200 blobs in older codestreams, right? The fixed version for both is 46.5e069cbd.0.

SUSE:SLE-12-SP4:Update/kernel-firmware:
	WHENCE:1021:File: iwlwifi-9000-pu-b0-jf-b0-46.ucode
	WHENCE-1022-Version: 46.3cfab8da.0
	WHENCE:1039:File: iwlwifi-9260-th-b0-jf-b0-46.ucode
	WHENCE-1040-Version: 46.3cfab8da.0

SUSE:SLE-15:Update/kernel-firmware
	WHENCE:1029:File: iwlwifi-9000-pu-b0-jf-b0-46.ucode
	WHENCE-1030-Version: 46.6bf1df06.0
	WHENCE:1047:File: iwlwifi-9260-th-b0-jf-b0-46.ucode
	WHENCE-1048-Version: 46.6bf1df06.0

SUSE:SLE-15-SP1:Update/kernel-firmware
	WHENCE:1029:File: iwlwifi-9000-pu-b0-jf-b0-46.ucode
	WHENCE-1030-Version: 46.6bf1df06.0
	WHENCE:1047:File: iwlwifi-9260-th-b0-jf-b0-46.ucode
	WHENCE-1048-Version: 46.6bf1df06.0

SUSE:SLE-15-SP3:Update/kernel-firmware
	WHENCE:1029:File: iwlwifi-9000-pu-b0-jf-b0-46.ucode
	WHENCE-1030-Version: 46.4d093a30.0
	WHENCE:1047:File: iwlwifi-9260-th-b0-jf-b0-46.ucode
	WHENCE-1048-Version: 46.4d093a30.0

SUSE:SLE-15-SP4:Update/kernel-firmware
	WHENCE:1029:File: iwlwifi-9000-pu-b0-jf-b0-46.ucode
	WHENCE-1030-Version: 46.4e1ceb39.0
	WHENCE:1047:File: iwlwifi-9260-th-b0-jf-b0-46.ucode
	WHENCE-1048-Version: 46.4e1ceb39.0

Comment 6 Takashi Iwai 2022-02-23 11:21:18 UTC

The actual use of those *-46.ucode are from SLE15-SP2 kernels although kernel-firmware packages already contained the files in older releases.  So, SLE15-SP1:Update would be needed for covering SLE15-SP2-LTSS, too.

Comment 7 Carlos López 2022-02-23 11:30:32 UTC

Thank your very much for the clarification Takashi. Tracking the following as affected:
 - SUSE:SLE-15-SP1:Update (for SLE15-SP2-LTSS)
 - SUSE:SLE-15-SP3:Update
 - SUSE:SLE-15-SP4:Update

Comment 8 Takashi Iwai 2022-02-23 11:49:42 UTC

SLE15-SP4 already contains the updated firmware.

Comment 9 Carlos López 2022-02-23 11:51:10 UTC

(In reply to Takashi Iwai from comment #8)
> SLE15-SP4 already contains the updated firmware.

True, thanks :)

Comment 11 Takashi Iwai 2022-02-24 15:53:47 UTC

Submitted to both branches.  Reassigned back to security team.

Comment 12 Carlos López 2022-02-28 09:17:17 UTC

This update also fixes CVE-2021-33113 and CVE-2021-33114 (INTEL-SA-00582).

Comment 14 Swamp Workflow Management 2022-03-04 14:28:05 UTC

SUSE-SU-2022:0721-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1195786,1196333
CVE References: CVE-2021-0066,CVE-2021-0072,CVE-2021-0076,CVE-2021-0161,CVE-2021-0164,CVE-2021-0165,CVE-2021-0166,CVE-2021-0168,CVE-2021-0170,CVE-2021-0172,CVE-2021-0173,CVE-2021-0174,CVE-2021-0175,CVE-2021-0176,CVE-2021-0183,CVE-2021-33139,CVE-2021-33155
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    kernel-firmware-20200107-3.26.1
SUSE Manager Retail Branch Server 4.1 (src):    kernel-firmware-20200107-3.26.1
SUSE Manager Proxy 4.1 (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise Micro 5.0 (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    kernel-firmware-20200107-3.26.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    kernel-firmware-20200107-3.26.1
SUSE Enterprise Storage 7 (src):    kernel-firmware-20200107-3.26.1
SUSE Enterprise Storage 6 (src):    kernel-firmware-20200107-3.26.1
SUSE CaaS Platform 4.0 (src):    kernel-firmware-20200107-3.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2022-03-31 13:20:13 UTC

SUSE-SU-2022:1065-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 1186938,1188662,1192953,1195786,1196333
CVE References: CVE-2021-0066,CVE-2021-0071,CVE-2021-0072,CVE-2021-0076,CVE-2021-0161,CVE-2021-0164,CVE-2021-0165,CVE-2021-0166,CVE-2021-0168,CVE-2021-0170,CVE-2021-0172,CVE-2021-0173,CVE-2021-0174,CVE-2021-0175,CVE-2021-0176,CVE-2021-0183,CVE-2021-33139,CVE-2021-33155
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-firmware-20210208-150300.4.7.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-firmware-20210208-150300.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2022-03-31 13:22:12 UTC

openSUSE-SU-2022:1065-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 1186938,1188662,1192953,1195786,1196333
CVE References: CVE-2021-0066,CVE-2021-0071,CVE-2021-0072,CVE-2021-0076,CVE-2021-0161,CVE-2021-0164,CVE-2021-0165,CVE-2021-0166,CVE-2021-0168,CVE-2021-0170,CVE-2021-0172,CVE-2021-0173,CVE-2021-0174,CVE-2021-0175,CVE-2021-0176,CVE-2021-0183,CVE-2021-33139,CVE-2021-33155
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-firmware-20210208-150300.4.7.1

Comment 19 Carlos López 2022-06-08 13:34:16 UTC

Done, closing.