Heads up: Various Linux Kernel WiFi security issues (RCE/DOS) disclosed

Heads up: Various Linux Kernel WiFi security issues (RCE/DOS) disclosed

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1675 bytes --]

Hello development folks,

in case you have not noticed already, there are reports on a series of memory-related
security vulnerabilities in Linux' WiFi component, some with RCE potential, others "just"
allowing an adversary in WiFi proximity to DoS the system.

Please find more information here: https://www.openwall.com/lists/oss-security/2022/10/13/5

IPFire is vulnerable to all of these except for CVE-2022-42722, which requires a P2P
device to be set up on the victim system as a precondition for successful exploitation.

Patches are available (so is PoC exploit code), and have been merged into Linux 5.15.74,
released earlier today: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.74

As for ready-to-use exploits, I have not seen anything arriving on exploit DB & friends,
but I guess that is a matter of time. Given the vulnerabilities' characteristics, however,
exploitation will likely be more of a wardiving style.

While there is no reason to panic, I would like to ship these fixes rather soon. Briefly
discussed this with Michael on the phone yesterday, and we both agree not to update the
kernel that is currently in Core Update 171 (which is anticipated to be released next
week).

However, I was thinking about cherry-picking the relevant (14) commits from kernel
5.15.74, which would greatly buy us time for Core Update 172, have our users protected,
and is less likely to cause collateral damage than shipping vanilla 5.15.74.

Should there be no vetoes on this until Tuesday morning, I would go for this option. As
always, any comments/critics/questions are greatly appreciated.

All the best,
Peter Müller

Re: Heads up: Various Linux Kernel WiFi security issues (RCE/DOS) disclosed

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1922 bytes --]

Hello Peter,

> On 15 Oct 2022, at 17:18, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello development folks,
> 
> in case you have not noticed already, there are reports on a series of memory-related
> security vulnerabilities in Linux' WiFi component, some with RCE potential, others "just"
> allowing an adversary in WiFi proximity to DoS the system.
> 
> Please find more information here: https://www.openwall.com/lists/oss-security/2022/10/13/5
> 
> IPFire is vulnerable to all of these except for CVE-2022-42722, which requires a P2P
> device to be set up on the victim system as a precondition for successful exploitation.
> 
> Patches are available (so is PoC exploit code), and have been merged into Linux 5.15.74,
> released earlier today: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.74
> 
> As for ready-to-use exploits, I have not seen anything arriving on exploit DB & friends,
> but I guess that is a matter of time. Given the vulnerabilities' characteristics, however,
> exploitation will likely be more of a wardiving style.
> 
> While there is no reason to panic, I would like to ship these fixes rather soon. Briefly
> discussed this with Michael on the phone yesterday, and we both agree not to update the
> kernel that is currently in Core Update 171 (which is anticipated to be released next
> week).
> 
> However, I was thinking about cherry-picking the relevant (14) commits from kernel
> 5.15.74, which would greatly buy us time for Core Update 172, have our users protected,
> and is less likely to cause collateral damage than shipping vanilla 5.15.74.

Yes, I believe that this is the way to go.

Please send a patch :)

> Should there be no vetoes on this until Tuesday morning, I would go for this option. As
> always, any comments/critics/questions are greatly appreciated.
> 
> All the best,
> Peter Müller

-Michael