Debian DLA-3596-1 : firmware-nonfree - LTS security update

2023-10-0100:00:00

www.tenable.com

debian

lts

firmware-nonfree

vulnerabilities

intel

wifi

killer

privilege escalation

denial of service

access control

input validation

protection mechanism failure

nessus scanner

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

0.0005 Low

EPSS

Percentile

18.9%

JSON

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3596 advisory.

Improper access control for some Intel® PROSet/Wireless WiFi and Killer™ WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. (CVE-2022-27635, CVE-2022-40964)
Improper input validation in some Intel® PROSet/Wireless WiFi and Killer™ WiFi software may allow an unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2022-36351)
Improper input validation in some Intel® PROSet/Wireless WiFi and Killer™ WiFi software may allow an authenticated user to potentially enable escalation of privilege via local access. (CVE-2022-38076)
Protection mechanism failure for some Intel® PROSet/Wireless WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. (CVE-2022-46329)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3596. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(182408);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/01");

  script_cve_id(
    "CVE-2022-27635",
    "CVE-2022-36351",
    "CVE-2022-38076",
    "CVE-2022-40964",
    "CVE-2022-46329"
  );

  script_name(english:"Debian DLA-3596-1 : firmware-nonfree - LTS security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-3596 advisory.

  - Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a
    privileged user to potentially enable escalation of privilege via local access. (CVE-2022-27635,
    CVE-2022-40964)

  - Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow an
    unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2022-36351)

  - Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow an
    authenticated user to potentially enable escalation of privilege via local access. (CVE-2022-38076)

  - Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi software may allow a privileged user
    to potentially enable escalation of privilege via local access. (CVE-2022-46329)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051892");
  # https://security-tracker.debian.org/tracker/source-package/firmware-nonfree
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?42c4e444");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2023/dla-3596");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-27635");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-36351");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-38076");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-40964");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-46329");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/firmware-nonfree");
  script_set_attribute(attribute:"solution", value:
"Upgrade the firmware-nonfree packages.

For Debian 10 buster, these problems have been fixed in version 20190114+really20220913-0+deb10u2.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-38076");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/08/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/09/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-adi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-amd-graphics");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-atheros");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-bnx2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-bnx2x");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-brcm80211");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-cavium");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-intel-sound");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-intelwimax");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-ipw2x00");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-ivtv");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-iwlwifi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-libertas");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-linux");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-linux-nonfree");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-misc-nonfree");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-myricom");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-netronome");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-netxen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-qcom-media");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-qlogic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-ralink");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-realtek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-samsung");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-siano");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-ti-connectivity");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '10.0', 'prefix': 'firmware-adi', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-amd-graphics', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-atheros', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-bnx2', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-bnx2x', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-brcm80211', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-cavium', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-intel-sound', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-intelwimax', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-ipw2x00', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-ivtv', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-iwlwifi', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-libertas', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-linux', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-linux-nonfree', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-misc-nonfree', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-myricom', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-netronome', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-netxen', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-qcom-media', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-qlogic', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-ralink', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-realtek', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-samsung', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-siano', 'reference': '20190114+really20220913-0+deb10u2'},
    {'release': '10.0', 'prefix': 'firmware-ti-connectivity', 'reference': '20190114+really20220913-0+deb10u2'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'firmware-adi / firmware-amd-graphics / firmware-atheros / etc');
}

VendorProductVersionCPE
debiandebian_linuxfirmware-adip-cpe:/a:debian:debian_linux:firmware-adi
debiandebian_linuxfirmware-amd-graphicsp-cpe:/a:debian:debian_linux:firmware-amd-graphics
debiandebian_linuxfirmware-atherosp-cpe:/a:debian:debian_linux:firmware-atheros
debiandebian_linuxfirmware-bnx2p-cpe:/a:debian:debian_linux:firmware-bnx2
debiandebian_linuxfirmware-bnx2xp-cpe:/a:debian:debian_linux:firmware-bnx2x
debiandebian_linuxfirmware-brcm80211p-cpe:/a:debian:debian_linux:firmware-brcm80211
debiandebian_linuxfirmware-caviump-cpe:/a:debian:debian_linux:firmware-cavium
debiandebian_linuxfirmware-intel-soundp-cpe:/a:debian:debian_linux:firmware-intel-sound
debiandebian_linuxfirmware-intelwimaxp-cpe:/a:debian:debian_linux:firmware-intelwimax
debiandebian_linuxfirmware-ipw2x00p-cpe:/a:debian:debian_linux:firmware-ipw2x00

Vendor	Product	Version	CPE
debian	debian_linux	firmware-adi	p-cpe:/a:debian:debian_linux:firmware-adi
debian	debian_linux	firmware-amd-graphics	p-cpe:/a:debian:debian_linux:firmware-amd-graphics
debian	debian_linux	firmware-atheros	p-cpe:/a:debian:debian_linux:firmware-atheros
debian	debian_linux	firmware-bnx2	p-cpe:/a:debian:debian_linux:firmware-bnx2
debian	debian_linux	firmware-bnx2x	p-cpe:/a:debian:debian_linux:firmware-bnx2x
debian	debian_linux	firmware-brcm80211	p-cpe:/a:debian:debian_linux:firmware-brcm80211
debian	debian_linux	firmware-cavium	p-cpe:/a:debian:debian_linux:firmware-cavium
debian	debian_linux	firmware-intel-sound	p-cpe:/a:debian:debian_linux:firmware-intel-sound
debian	debian_linux	firmware-intelwimax	p-cpe:/a:debian:debian_linux:firmware-intelwimax
debian	debian_linux	firmware-ipw2x00	p-cpe:/a:debian:debian_linux:firmware-ipw2x00