Inadequate Encryption Strength Affecting firmware-nonfree package, versions <20210818-1


Severity

Recommended
0.0
low
0
10

Snyk's Security Team recommends NVD's CVSS assessment

    Threat Intelligence

    EPSS
    0.1% (43rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN12-FIRMWARENONFREE-1546179
  • published 12 May 2021
  • disclosed 11 May 2021

How to fix?

Upgrade Debian:12 firmware-nonfree to version 20210818-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream firmware-nonfree package and not the firmware-nonfree package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.

CVSS Scores

version 3.1
Expand this section

NVD

Recommended
2.6 low
  • Attack Vector (AV)
    Adjacent
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

SUSE

4.2 medium
Expand this section

Red Hat

3.1 low