If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Recently news was released that a number of vulnerabilities have been identified in the wireless stack (mac80211) of the Linux kernel, some of which potentially allow buffer overflows and remote code execution through the sending of specially designed packets by the access point. The fix is only available as a patch so far.
A security researcher from TU Darmstadt was the one who reported a problem to SUSE related to a buffer overwrite within the mac80211 framework of the Linux kernel triggered by WLAN frames.
While doing research with Intel, andThey found several other problems, What makes these WiFi security issues more problematic is that they can be exploited over the air via malicious packets on untrusted wireless networks.
We delegated the problem to the core security people, and Soenke and
Johannes Berg of Intel evaluated and worked on this problem.During their investigation they found multiple more problems in the WLAN
pile, exploitable by air.The patch set was posted to the netdev list a moment ago and is
merged in the next few hours/days.
- CVE-2022-41674: Buffer overflow in cfg80211_update_notlisted_nontrans function, allowing up to 256 bytes to be overwritten on the heap. The vulnerability has been manifest since Linux kernel 5.1 and can be used for remote code execution.
- CVE-2022-42719: access to an already freed memory area (use after free) in the MBSSID parsing code. The vulnerability has been manifesting since Linux kernel 5.2 and can be used for remote code execution. A use-after-free flaw was found in ieee802_11_parse_elems_full in function net/mac80211/util.c on element multi-BSSID. This issue occurs during parsing on the Linux kernel.
- CVE-2022-42720: reference to a use-after-free memory area in the reference counting code in BSS (Basic Service Set) mode. The vulnerability has been manifest since Linux kernel 5.1 and can be used for remote code execution. Local attackers (capable of injecting WLAN frames) could use various refcounting bugs in the handling of multiple BSSs in the mac80211 stack in Linux kernel 5.1 to 5.19.x before 5.19.16 to trigger usage conditions after free for potentially execute code.
- CVE-2022-42721: A list corruption flaw was found in cfg80211_add_nontrans_list in the function net/wireless/scan.c in the Linux kernel. It causes BSS list corruption causing an infinite loop. The vulnerability has been manifest since Linux kernel 5.1 and can be used to commit a denial of service.
- CVE-2022-42722: A flaw in the P2P device on wifi was found in ieee80211_rx_h_decrypt in net/mac80211/rx.c in the Linux kernel. Null pointer dereference in beacon frame protection code. The problem can be used to commit a denial of service.
To demonstrate the possibility of carrying out an attack taking advantage of the bugs found, plot examples have been published which cause an overflow as well as a utility to replace these frames in the 802.11 wireless stack, it is possible to commit the service failure.
It is mentioned that the vulnerabilities are independent of the wireless drivers used. It is assumed that the identified issues can be used to create working exploits for a remote attack on systems.
Regarding the fixes of these bugs, it is mentioned that Linus Torvalds picked up the WiFi security fixes which are worked through more network updates for the Linux 6.1 merge window.
The corrective patches have already been released and implemented in the stable series and within updates of the main currently supported Linux distributions and, in turn, should be taken up in the next rounds of point releases in the coming days.
Finally if you are interested in knowing more about it, you can check the details in the following link.