Redhat Enterprise Linux 6.0 Overflow Vulnerability

Summary

A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.

Credit:

The information has been provided by Pedro Sampaio 

The original article can be found at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3846


Details

he problem is inside mwifiex_update_bss_desc_with_ie function in drivers/net/wireless/marvell/mwifiex/scan.c.

When STA connects to AP, mwifiex_update_bss_desc_with_ie function will be called to update bss descriptor.In mwifiex_update_bss_desc_with_ie function, the IEs of beacon packet is parsed. When processing WLAN_EID_SUPP_RATES element,it does not check the length of rates data before calling memcpy,the dst buffer bss_entry->data_rates is a array with size
MWIFIEX_SUPPORTED_RATES(14).

Remote attacker can build a fakeAP sending malicous beacon packet with long WLAN_EID_SUPP_RATES element(element_len>14),when victim STA connects to the
fakeAP, will trigger the heap buffer overflow.

 

Vulnerable Systems:

  • Redhat Enterprise Linux 6.0
  • Redhat Enterprise Linux 7.0
  • Redhat Enterprise Linux 8.0

CVE Information:

CVE-2019-3846

Disclosure Timeline:
Publish Date:06/03/2019

Categories: News