Anolis OS update for linux-firmware

1) Use-after-free

EUVDB-ID: #VU78572

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-20593

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in AMD Zen2 processors. A local user can trigger a use-after-free error and execute arbitrary code on the system.

Note, the vulnerability was dubbed Zenbleed.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

linux-firmware: before 20230404-117.git2e92a49f

libertas-usb8388-olpc-firmware: before 20230404-117.git2e92a49f

libertas-usb8388-firmware: before 20230404-117.git2e92a49f

libertas-sd8787-firmware: before 20230404-117.git2e92a49f

libertas-sd8686-firmware: before 20230404-117.git2e92a49f

iwl7260-firmware: before 25.30.13.0-117

iwl6050-firmware: before 41.28.5.1-117

iwl6000g2b-firmware: before 18.168.6.1-117

iwl6000g2a-firmware: before 18.168.6.1-117

iwl6000-firmware: before 9.221.4.1-117

iwl5150-firmware: before 8.24.2.2-117

iwl5000-firmware: before 8.83.5.1_1-117

iwl4965-firmware: before 228.61.2.24-117

iwl3945-firmware: before 15.32.2.9-117

iwl3160-firmware: before 25.30.13.0-117

iwl2030-firmware: before 18.168.6.1-117

iwl2000-firmware: before 18.168.6.1-117

iwl135-firmware: before 18.168.6.1-117

iwl105-firmware: before 18.168.6.1-117

iwl1000-firmware: before 39.31.5.1-117

iwl100-firmware: before 39.31.5.1-117

CPE2.3

• cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:linux-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:libertas-usb8388-olpc-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:libertas-usb8388-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:libertas-sd8787-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:libertas-sd8686-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl7260-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl6050-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl6000g2b-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl6000g2a-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl6000-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl5150-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl5000-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl4965-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl3945-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl3160-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl2030-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl2000-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl135-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl105-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl1000-firmware:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:iwl100-firmware:*:*:*:*:*:anolis_os:*:*

External links

https://anas.openanolis.cn/errata/detail/ANSA-2023:0544

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.