# vim: set ts=4 sw=4 sts=4 et: ############################### # CVE-2023-23583, Reptar, Redundant Prefix Issue check_CVE_2023_23583() { check_cve 'CVE-2023-23583' } check_CVE_2023_23583_linux() { local status sys_interface_available msg status=UNK sys_interface_available=0 msg='' # there is no sysfs file for this vuln, and no kernel patch, # the mitigation is only ucode-based and there's no flag exposed, # so most of the work has already been done by is_cpu_affected() # shellcheck disable=SC2154 if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" elif [ -z "$g_reptar_fixed_ucode_version" ]; then # CPU matched the model blacklist but has no known fixing microcode # (likely an EOL stepping that Intel won't release a fix for) pvulnstatus "$cve" VULN "your CPU is affected and no microcode update is available for your CPU stepping" else pr_info_nol "* Reptar is mitigated by microcode: " if [ -z "$cpu_ucode" ]; then pstatus yellow UNKNOWN "couldn't get your microcode version" pvulnstatus "$cve" UNK "couldn't detect microcode version to verify mitigation" elif [ "$cpu_ucode" -lt "$g_reptar_fixed_ucode_version" ]; then pstatus yellow NO "You have ucode $(printf "0x%x" "$cpu_ucode") and version $(printf "0x%x" "$g_reptar_fixed_ucode_version") minimum is required" pvulnstatus "$cve" VULN "Your microcode is too old to mitigate the vulnerability" else pstatus green YES "You have ucode $(printf "0x%x" "$cpu_ucode") which is recent enough (>= $(printf "0x%x" "$g_reptar_fixed_ucode_version"))" pvulnstatus "$cve" OK "Your microcode mitigates the vulnerability" fi fi } check_CVE_2023_23583_bsd() { if ! is_cpu_affected "$cve"; then pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected" else pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script" fi }