Linux discovered a remotely exploitable vulnerability in the Wi-Fi driver, potentially allowing completely compromise the system. The problem relevant to the OS based on the Linux kernel version 5.3.6 and below.[dropcap]A[/dropcap] patch option has already been proposed and will probably be included in the next Linux update, and then it will be spread among distributions.
In the presence of a vulnerability registered as CVE-2019-17666, the rtlwifi driver is responsible for the interaction of some Realtek Wi-Fi modules with the Linux operating system. The problem is caused by the possibility of a buffer overflow, which an attacker can use to cause a catastrophic failure or execute third-party code in the context of the kernel.
Nicolas Waisman, a leading information security specialist at Github, discovered the problem. According to the researcher, the vulnerability lasted at least four years before it was identified.
“The bug is very serious, if the device has a Realtek driver (rtlwifi), it is vulnerable, and someone who is in the range of the wireless network can take advantage of this to attack”, – said the expert.
The vulnerability manifests when processing packets transmitted via the Notice of Absence (NoA) protocol, the use of which is provided by the Wi-Fi Direct standard, aka Wi-Fi p2p.
When working in Wi-Fi Direct mode, devices on a wireless network communicate with each other directly, and one of them plays the role of an access point in a group. In order to reduce power consumption, such a node, using NoA, announces periods of “silence” – time intervals when p2p clients are not allowed to use the radio channel. To this end, it includes the corresponding signaling element in the navigation frames and response messages.
As it turned out, when parsing NoA frames, the rtlwifi code that implements Wi-Fi Direct does not check the size of some data. As a result, an attacker can add specific information elements to the signal frame and thus provoke a buffer overflow.
Exploitation, according to Vaysman, is carried out by sending a malicious package to a vulnerable Linux device; no authentication or action by the victim is required.
[box]The vulnerability can only be used when Wi-Fi is turned on and the attacked device uses Realtek Wi-Fi chips. If successful, the outcome of the attack can be disastrous.[/box]
“The exploit provokes a buffer overflow. This means that the author of the attack can cause Linux to crash or even achieve remote code execution – but then you need a suitable exploit, and writing it is not easy”, – says Weissman.