=== chris14_ is now known as chris14
=== ChanServ changed the topic of #ubuntu-security to: Twitter: @ubuntu_sec || https://usn.ubuntu.com || https://wiki.ubuntu.com/SecurityTeam || https://wiki.ubuntu.com/Security/Features || Community: sarnold
hallynhm, https://ubuntu.com/security/CVE-2022-21216 - "may allow a privileged user to potentially enable escalation of privilege via adjacent network access" - what kind of gibberish is this?15:18
-ubottu:#ubuntu-security- Insufficient granularity of access control in out-of-band management in some Intel(R) Atom and Intel Xeon Scalable Processors may allow a privileged user to potentially enable escalation of privilege via adjacent network access. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21216>15:18
hallyndo they have to be privileged on my machine to begin with or not?15:18
hallynif root on a box sitting on the switch next to mine can ... "escalate privs" on my box, that's very different.15:19
hallyngiven that it's a firmware update, i wouldn't be surprised, but...15:19
=== martums010135 is now known as martums01013
=== tomreyn_ is now known as tomreyn
tewardhallyn: my understanding of 'adjacent network access' means privileged access in OOB Management in one system could spill over to adjacent systems running the same firmware/API/etc on its OOB management mechanisms regardless of privileged access on the adjacent machine19:23
tewardso in theory: VULNERABLEMACHINE privileged user could enable OTHERMACHINE privileged access via adjacent network connection/access19:23
tewardbut that's specifically due to Out Of Band management tools19:23
teward(so IPMI, etc. possibly?)19:24
tewardi wouldn't call that "gibberish" but "complicated, hard to understand terminology use"19:24
hallynthanks.  "network adjacent' could mean different things to people working at different levels, and for something where everyone has to make a decision on priority, i expected to see a bit more detail by the time i'd clicked 5 'for more information' links :)19:37
hallyn(just explaining what i meant by "gibberish" - not asking you for more info - thank you again :)19:38
tomreynthis vulnerability in intel hardware/firmware was identified by intel staff - pretty surely you won't see technical details discussed openly. and, like most of the time when vulnerabilities are identified 'internally', at least by some enterprise like intel, you don't even get a clear description.19:42
tewardwhat tomreyn said20:07
tewardso it's up to interpretation basically on what that means20:07
tewardhallyn: ^20:08

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!