CVE-2022-42719/CVE-2022-42720: Linux kernel RCE vulnerability
Soenke Huster from Tu Darmstadt has discovered that the Linux kernel WiFi stack is affected by 5 high vulnerabilities that an attacker can exploit to grant arbitrary code execution or cause a denial of service condition.
Tracked as CVE-2022-42719, the bug was caused by a use-after-free flaw in the ieee802_11_parse_elems_full function in net/mac80211/util.c function in the multi-BSSID element. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to execute arbitrary code or cause the system to crash. The CVE-2022-42719 vulnerability was introduced in v5.2-rc1.
Tracked as CVE-2022-42720, the flaw was caused by a use-after-free flaw in the bss_ref_get function in net/wireless/scan.c in the multi-BSSID element. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to execute arbitrary code or cause the system to crash. This vulnerability was introduced in v5.1-rc1.
Tracked as CVE-2022-42721, the security vulnerability was caused by a list corruption flaw in the cfg80211_add_nontrans_list function in net/wireless/scan.c. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. This vulnerability was introduced in v5.1-rc1 and leads to an endless loop, leading to a DoS.
Tracked as CVE-2022-42722, the bug was caused by a flaw in P2P-Device in wifi in ieee80211_rx_h_decrypt in net/mac80211/rx.c. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
Tracked as CVE-2022-41674, the flaw was caused by a buffer overflow in the cfg80211_update_notlisted_nontrans() function in net/wireless/scan.c in the WiFi subcomponent. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause the system to crash or execute arbitrary code. This vulnerability was introduced in v5.1-rc1 and leads to a heap overflow.
The researcher published the technical details and PoCs.
At present, Linux kernel maintainers have officially issued security patches. It’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available.
