[sssForm]

Security Advisory

CVE-2022-36382 – Ethernet Controller Firmware (TH-3350)
Published: March 26, 2024
Last Update: March 26, 2024
Summary

In February 2023, Intel published vulnerabilities affecting some Intel Ethernet Controllers including the 700 Series [1]. For A10 Networks, CVE-2022-36382 [2] may allow an escalation of privilege, denial of service. This vulnerability requires local access to the system to exploit the flaw in the controller firmware.

Item # Vulnerability ID Score Source Score Summary
1 CVE-2022-36382 CVSSv3.0 8.8 High Out-of-bounds write in firmware for some Intel Ethernet Network Controllers and Adapters:  E810, 700 Series [1]

Affected Releases

This is not a vulnerability in ACOS. Rather, this is a vulnerability in the firmware of Intel E810 and 700 Series Ethernet Controllers. A10 Networks TH-3350 devices manufactured before October 2024 may have firmware vulnerable to this issue. See the mitigations procedure below for instructions on updating the Intel ethernet controller firmware in affected TH-3350 devices.

Intel 700 Series controllers may also be used in vThunder or Bare Metal ACOS systems. It is the responsibility of the customer in these cases to ensure that Intel 700 Series ethernet controller firmware is updated as appropriate to ensure that these systems are not exposed to this vulnerability.

Workarounds and Mitigations

A10 The following mitigation procedure is recommended for all A10 Networks TH-3350 devices manufactured before October 2024, to upgrade their underlying Intel 700 Series Controller firmware.

First, download the “TH3350-update-cve-2022-36382.upg” file from the A10 Networks support software download site to a local system accessible to the TH-3040 device.

Second, update the ethernet controller firmware for A10 Networks TH-3350 devices by using the “upgrade” command in config mode.

ACOS(config)# upgrade hd pri use-mgmt-port scp://user@/home/user/TH3350-update-cve-2022-36382.upg
Password []?
 
Do you want to reboot the system after the upgrade?[yes/no]:no
Getting upgrade package ...
..
Done (0 minutes 3 seconds)
Decrypt upgrade package ...
..
Done (0 minutes 3 seconds)
Checking integrity of upgrade package ...
Upgrade file integrity checking passed (0 minutes 1 seconds)
Expand the upgrade package now ...
.
Done (0 minutes 2 seconds)
Upgrade ...
...........Upgrade failed 
ACOS(config)(LOADING)#[446354.863762] reboot: Restarting system

The command output will indicate that the “Upgrade failed” when updating the firmware even when the firmware update succeeds. This merely indicates the ACOS software of the device was not changed, and this is expected to be displayed.

The device will reboot after the upgrade command. This is required and will happen even if a “no” response is given to the question “Do you want to reboot the system after the upgrade?”.

Lastly, verify the results of the firmware update operation by viewing the varlog logging entries. Entries similar to the following will indicate that the firmware was successfully updated, by showing the new updated version.

show varlog tail 5000 | include firmware-version
Mar 15 04:02:38 localhost axlog: Updated all interfaces successfully to firmware-version: 9.20 0x8000d8bc 0.0.0.0

If the update was unsuccessful, an entry indicating that the update was not successful and show the number of devices that were updated, if any. For example:

Only updated 4/8 interfaces.

If this upgrade is applied to an A10 Networks device that is not a TH-3350, the command will fail as shown below.

Checking integrity of upgrade package ...
Incorrect software for the model
Software Updates

Software updates that address these vulnerabilities are or will be published at the following URL, near the bottom in the “Other Updates and Tools” section with the heading “Thunder 3350 Firmware Security Update for CVE-2022-36382”:

https://support.a10networks.com/support/axseries

Vulnerability Details

The following table shares brief descriptions for the vulnerabilities addressed in this document.

Vulnerability ID Vulnerability Description
CVE-2022-36382

Out-of-bounds write in firmware for some Intel(R) Ethernet Network Controllers and Adapters E810 Series before version 1.7.0.8 and some Intel(R) Ethernet 700 Series Controllers and Adapters before version 9.101 may allow a privileged user to potentially enable denial of service via local access.

Acknowledgements

None

Modification History
Revision Date Description
1.0 March 26, 2024

Initial Publication


© Copyright 2024 A10 Networks, Inc. All Rights Reserved.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.