SB2022030425 - SUSE update for kernel-firmware
Published: March 4, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2021-0066)
The vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in firmware. A local attacker can pass specially crafted input to the application and gain elevated privileges.
2) Information disclosure (CVE-ID: CVE-2021-0072)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in firmware. A local administrator can gain unauthorized access to sensitive information on the system.
3) Input validation error (CVE-ID: CVE-2021-0076)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of specified index, position, or offset in Input in firmware. A local administrator can pass specially crafted input to the application and perform a denial of service (DoS) attack.
4) Input validation error (CVE-ID: CVE-2021-0161)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in firmware. A local administrator on the local network can pass specially crafted input to the application and gain elevated privileges on the target system.
5) Improper access control (CVE-ID: CVE-2021-0164)
The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in firmware. A local user can bypass implemented security restrictions and gain elevated privileges on the system.
6) Input validation error (CVE-ID: CVE-2021-0165)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in firmware. A remote attacker on the local network can pass specially crafted input to the application and perform a denial of service (DoS) attack.
7) Input validation error (CVE-ID: CVE-2021-0166)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to exposure of sensitive information to an unauthorized actor in firmware. A local administrator can enable escalation of privileges.
8) Input validation error (CVE-ID: CVE-2021-0168)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in firmware. A local administrator can enable escalation of privileges.
9) Information disclosure (CVE-ID: CVE-2021-0170)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to exposure of sensitive information to an unauthorized actor in firmware. A local user can gain unauthorized access to sensitive information on the system.
10) Input validation error (CVE-ID: CVE-2021-0172)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in firmware. A remote attacker on the local network can pass specially crafted input to the application and perform a denial of service (DoS) attack.
11) Input validation error (CVE-ID: CVE-2021-0173)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of consistency within input in firmware. A remote attacker on the local network can pass specially crafted input to the application and perform a denial of service (DoS) attack.
12) Input validation error (CVE-ID: CVE-2021-0174)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper use of validation framework in firmware. A remote attacker on the local network can pass specially crafted input to the application and perform a denial of service (DoS) attack.
13) Input validation error (CVE-ID: CVE-2021-0175)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of specified index, position, or offset in Input in firmware. A remote attacker on the local network can pass specially crafted input to the application and perform a denial of service (DoS) attack.
14) Input validation error (CVE-ID: CVE-2021-0176)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in firmware. A local administrator can pass specially crafted input to the application and perform a denial of service (DoS) attack.
15) Input validation error (CVE-ID: CVE-2021-0183)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of specified index, position, or offset in Input in software. A remote attacker on the local network can pass specially crafted input to the application and perform a denial of service (DoS) attack.
16) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2021-33139)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper check for unusual or exceptional conditions in firmware. A remote authenticated attacker on the local network can perform a denial of service (DoS) attack.
17) Input validation error (CVE-ID: CVE-2021-33155)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in firmware. A remote authenticated attacker on the local network can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.