SUSE update for kernel-firmware

1) Inadequate Encryption Strength

EUVDB-ID: #VU25646

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-15126

CWE-ID: CWE-326 - Inadequate Encryption Strength

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to decrypt Wi-Fi frames.

The vulnerability exists because after an affected device handles a disassociation event it can send a limited number of Wi-Fi frames encrypted with a static, weak Pairwise Temporal Key (PTK). A remote attacker on the local network can acquire these frames and decrypt them with the static PTK without the knowledge of the security session establishment used to secure the Wi-Fi network.

Mitigation

Update the affected package kernel-firmware to the latest version.

Vulnerable software versions

SUSE MicroOS: 5.0

SUSE Linux Enterprise Module for Basesystem: 15-SP2

ucode-amd: before 20200107-3.23.1

kernel-firmware: before 20200107-3.23.1

CPE2.3

• cpe:2.3:o:suse:suse_microos:5.0:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_module_for_basesystem:15-SP2:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2021/suse-su-20214201-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.