Security Advisory 2022-10-17-1 - Multiple issues in mac80211 and cfg80211 (CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721 and CVE-2022-42722)

Hauke Mehrtens hauke at hauke-m.de
Mon Oct 17 15:49:48 PDT 2022 

DESCRIPTION

Multiple vulnerabilities were found in the Linux Kernel mac80211 and 
cfg80211 framework. OpenWrt takes the mac80211 and cfg80211 framework 
from the wireless backports project which copies it from a more recent 
Linux kernel version.

These vulnerabilities are in the multi BSSID (MBSSID) beacon parsing 
code and the P2P-device beacon parsing code.

  * CVE-2022-41674 [0]: fix u8 overflow in
    cfg80211_update_notlisted_nontrans (max 256 byte overwrite) (RCE)
  * CVE-2022-42719 [1]: wifi: mac80211: fix MBSSID parsing use-after-free
    use after free condition (RCE)
  * CVE-2022-42720 [2]: wifi: cfg80211: fix BSS refcounting bugs ref
    counting use-after-free possibilities (RCE)
  * CVE-2022-42721 [3]: wifi: cfg80211: avoid nontransmitted BSS list
    corruption list corruption (DOS)
  * CVE-2022-42722 [4]: wifi: mac80211: fix crash in beacon protection
    for P2P-device NULL ptr dereference crash (DOS)


REQUIREMENTS

The vulnerabilities are mostly in the Wifi beacon parsing code. OpenWrt 
operating as Wifi AP or Wifi client is affected when it scans for Wifi 
networks. A malicious attacker could exploit this by sending specially 
crafted packets while the target is scanning for Wifi networks. A 
malicious attacker has to be physically close to the target to exploit 
these vulnerabilities. This can be exploited by attackers which are not 
necessary part of the network, no authentication needed. Wifi drivers in 
OpenWrt will parse beacons from arbitrary Wifi devices nearby.

All Wifi drivers in OpenWrt are using cfg80211 and many are using mac80211.


MITIGATIONS

You need to update to a fixed OpenWrt version. Fixes for the 
vulnerabilities are integrated in OpenWrt 22.03.2 and OpenWrt 21.02.5. 
Upgrading the packages with opkg update is not sufficient.

The fix is contained in the following and later versions:

  * OpenWrt master: 2022-10-13 (fixed by reboot-20925-g26f400210d6b)
  * OpenWrt 22.03: 2022-10-13 (fixed by v22.03.1-16-gf1de43d0a0)
  * OpenWrt 21.02: 2022-10-13 (fixed by v21.02.4-2-gfa9a932fdb)


AFFECTED VERSIONS

To our knowledge, OpenWrt snapshot images are affected. OpenWrt stable 
release versions 22.03.1 and OpenWrt 21.02.4 and earlier are affected. 
Older versions of OpenWrt (e.g. OpenWrt 19.07, OpenWrt 18.06, OpenWrt 
15.05 and LEDE 17.01) are end of life and not supported any more.


CREDITS

Thanks to security researcher Sönke Huster from TU Darmstadt ( 
shuster at seemoo.tu-darmstadt.de ) and Johannes Berg from Intel for 
identifying the problems and fixing them in the upstream Linux kernel.
[5,6].


REFERENCES

0. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41674
1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42719
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42720
3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42721
4. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42722
5. https://lwn.net/ml/oss-security/20221013101046.GB20615@suse.de/
6. 
https://lwn.net/ml/oss-security/ff7256bc-418b-e833-18d8-bc9700f6d77e@seemoo.tu-darmstadt.de/

More information about the openwrt-announce mailing list