Security Advisory 2022-10-17-1 - Multiple issues in mac80211 and cfg80211 (CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721 and CVE-2022-42722)
Hauke Mehrtens
hauke at hauke-m.de
Mon Oct 17 15:49:48 PDT 2022
DESCRIPTION
Multiple vulnerabilities were found in the Linux Kernel mac80211 and
cfg80211 framework. OpenWrt takes the mac80211 and cfg80211 framework
from the wireless backports project which copies it from a more recent
Linux kernel version.
These vulnerabilities are in the multi BSSID (MBSSID) beacon parsing
code and the P2P-device beacon parsing code.
* CVE-2022-41674 [0]: fix u8 overflow in
cfg80211_update_notlisted_nontrans (max 256 byte overwrite) (RCE)
* CVE-2022-42719 [1]: wifi: mac80211: fix MBSSID parsing use-after-free
use after free condition (RCE)
* CVE-2022-42720 [2]: wifi: cfg80211: fix BSS refcounting bugs ref
counting use-after-free possibilities (RCE)
* CVE-2022-42721 [3]: wifi: cfg80211: avoid nontransmitted BSS list
corruption list corruption (DOS)
* CVE-2022-42722 [4]: wifi: mac80211: fix crash in beacon protection
for P2P-device NULL ptr dereference crash (DOS)
REQUIREMENTS
The vulnerabilities are mostly in the Wifi beacon parsing code. OpenWrt
operating as Wifi AP or Wifi client is affected when it scans for Wifi
networks. A malicious attacker could exploit this by sending specially
crafted packets while the target is scanning for Wifi networks. A
malicious attacker has to be physically close to the target to exploit
these vulnerabilities. This can be exploited by attackers which are not
necessary part of the network, no authentication needed. Wifi drivers in
OpenWrt will parse beacons from arbitrary Wifi devices nearby.
All Wifi drivers in OpenWrt are using cfg80211 and many are using mac80211.
MITIGATIONS
You need to update to a fixed OpenWrt version. Fixes for the
vulnerabilities are integrated in OpenWrt 22.03.2 and OpenWrt 21.02.5.
Upgrading the packages with opkg update is not sufficient.
The fix is contained in the following and later versions:
* OpenWrt master: 2022-10-13 (fixed by reboot-20925-g26f400210d6b)
* OpenWrt 22.03: 2022-10-13 (fixed by v22.03.1-16-gf1de43d0a0)
* OpenWrt 21.02: 2022-10-13 (fixed by v21.02.4-2-gfa9a932fdb)
AFFECTED VERSIONS
To our knowledge, OpenWrt snapshot images are affected. OpenWrt stable
release versions 22.03.1 and OpenWrt 21.02.4 and earlier are affected.
Older versions of OpenWrt (e.g. OpenWrt 19.07, OpenWrt 18.06, OpenWrt
15.05 and LEDE 17.01) are end of life and not supported any more.
CREDITS
Thanks to security researcher Sönke Huster from TU Darmstadt (
shuster at seemoo.tu-darmstadt.de ) and Johannes Berg from Intel for
identifying the problems and fixing them in the upstream Linux kernel.
[5,6].
REFERENCES
0. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41674
1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42719
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42720
3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42721
4. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42722
5. https://lwn.net/ml/oss-security/20221013101046.GB20615@suse.de/
6.
https://lwn.net/ml/oss-security/ff7256bc-418b-e833-18d8-bc9700f6d77e@seemoo.tu-darmstadt.de/
More information about the openwrt-announce
mailing list