Security Advisory 2022-10-17-1 - Multiple issues in mac80211 and cfg80211 (CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721 and CVE-2022-42722)

DESCRIPTION
Multiple vulnerabilities were found in the Linux Kernel mac80211 and cfg80211 framework. OpenWrt takes the mac80211 and cfg80211 framework from the wireless backports project which copies it from a more recent Linux kernel version.

These vulnerabilities are in the multi BSSID (MBSSID) beacon parsing code and the P2P-device beacon parsing code.

• CVE-2022-41674: fix u8 overflow in cfg80211_update_notlisted_nontrans (max 256 byte overwrite) (RCE)

• CVE-2022-42719: wifi: mac80211: fix MBSSID parsing use-after-free use after free condition (RCE)

• CVE-2022-42720: wifi: cfg80211: fix BSS refcounting bugs ref counting use-after-free possibilities (RCE)

• CVE-2022-42721: wifi: cfg80211: avoid nontransmitted BSS list corruption list corruption (DOS)

• CVE-2022-42722: wifi: mac80211: fix crash in beacon protection for P2P-device NULL ptr dereference crash (DOS)
  *[P2P]: Peer-To-Peer

REQUIREMENTS
The vulnerabilities are mostly in the Wifi beacon parsing code. OpenWrt operating as Wifi AP or Wifi client is affected when it scans for Wifi networks. A malicious attacker could exploit this by sending specially crafted packets while the target is scanning for Wifi networks. A malicious attacker has to be physically close to the target to exploit these vulnerabilities. This can be exploited by attackers which are not necessary part of the network, no authentication needed. Wifi drivers in OpenWrt will parse beacons from arbitrary Wifi devices nearby.

All Wifi drivers in OpenWrt are using cfg80211 and many are using mac80211.
*[AP]: Access Point

MITIGATIONS
You need to update to a fixed OpenWrt version. Fixes for the vulnerabilities are integrated in OpenWrt 22.03.2 and OpenWrt 21.02.5. Upgrading the packages with opkg update is not sufficient.

The fix is contained in the following and later versions:

• OpenWrt master: 2022-10-13 (fixed by reboot-20925-g26f400210d6b)

• OpenWrt 22.03: 2022-10-13 (fixed by v22.03.1-16-gf1de43d0a0)

• OpenWrt 21.02: 2022-10-13 (fixed by v21.02.4-2-gfa9a932fdb)

AFFECTED VERSIONS
To our knowledge, OpenWrt snapshot images are affected. OpenWrt stable release versions 22.03.1 and OpenWrt 21.02.4 and earlier are affected. Older versions of OpenWrt (e.g. OpenWrt 19.07, OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

CREDITS
Thanks to security researcher Sönke Huster from TU Darmstadt ( [email protected] ) and Johannes Berg from Intel for identifying the problems and fixing them in the upstream Linux kernel.