Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
advisory:2022-10-17-1 [2022/10/16 22:07] – created haukeadvisory:2022-10-17-1 [2022/10/17 18:31] – add CVE links hauke
Line 11: Line 11:
  
 Multiple vulnerabilities were found in the Linux Kernel mac80211 and cfg80211 framework. Multiple vulnerabilities were found in the Linux Kernel mac80211 and cfg80211 framework.
-OpenWrt takes the mac80211 and cfg80211 framework from the wireless backports project which copies it from a more recent Linux kernel version. +OpenWrt takes the mac80211 and cfg80211 framework from the wireless backports project which copies it from a more recent Linux kernel version.
  
-  * CVE-2022-41674: fix u8 overflow in cfg80211_update_notlisted_nontrans (max 256 byte overwrite) (RCE) +These vulnerabilities are in the Multi BSSID (MBSSID) parsing code and the P2P-device beacon parsing code. 
-  * CVE-2022-42719: wifi: mac80211: fix MBSSID parsing use-after-free use after free condition (RCE) + 
-  * CVE-2022-42720: wifi: cfg80211: fix BSS refcounting bugs ref counting use-after-free possibilities (RCE) +  [[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41674|CVE-2022-41674]]: fix u8 overflow in cfg80211_update_notlisted_nontrans (max 256 byte overwrite) (RCE) 
-  * CVE-2022-42721: wifi: cfg80211: avoid nontransmitted BSS list corruption list corruption, according to Johannes will however just make it endless loop (DOS) +  * [[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42719|CVE-2022-42719]]: wifi: mac80211: fix MBSSID parsing use-after-free use after free condition (RCE) 
-  * CVE-2022-42722: wifi: mac80211: fix crash in beacon protection for P2P-device NULL ptr dereference crash (DOS)+  * [[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42720|CVE-2022-42720]]: wifi: cfg80211: fix BSS refcounting bugs ref counting use-after-free possibilities (RCE) 
 +  * [[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42721|CVE-2022-42721]]: wifi: cfg80211: avoid nontransmitted BSS list corruption list corruption (DOS) 
 +  * [[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42722|CVE-2022-42722]]: wifi: mac80211: fix crash in beacon protection for P2P-device NULL ptr dereference crash (DOS)
  
 ===== REQUIREMENTS ===== ===== REQUIREMENTS =====
 /* Describe how a malicious attacker could exploit this vulnerability */ /* Describe how a malicious attacker could exploit this vulnerability */
  
-The vulnerabilities are mostly in the Wifi beacon parsing code. client which scans for Wifi networks is affected+The vulnerabilities are mostly in the Wifi beacon parsing code. OpenWrt operating as Wifi AP and Wifi client are affected when it scans for networks.
 An attacker could exploit this by sending specially crafted packets while the target is scanning for new networks. An attacker could exploit this by sending specially crafted packets while the target is scanning for new networks.
 +This can be exploited by attackers which are not part of the network, no authentication needed. Wifi drivers in OpenWrt will parse beacons from arbitrary Wifi devices nearby. 
  
 All Wifi drivers in OpenWrt are using cfg80211 and many are using mac80211.  All Wifi drivers in OpenWrt are using cfg80211 and many are using mac80211. 
Line 32: Line 35:
 /* describe at least how to mitigate or workaround it.                   */ /* describe at least how to mitigate or workaround it.                   */
  
-Update to a fixed OpenWrt version. Fixes for the vulnerabilities are integrated in OpenWrt 22.03.2 and OpenWrt 21.02.5. Upgrading the packages with opkg update is not sufficient. +Update to a fixed OpenWrt version. Fixes for the vulnerabilities are integrated in OpenWrt 22.03.2 and OpenWrt 21.02.5. Upgrading the packages with opkg update is not sufficient.
  
 The fix is contained in the following and later versions: The fix is contained in the following and later versions:
  • Last modified: 2022/10/17 22:47
  • by hauke