A researcher discovered a critical Linux vulnerability, tracked as CVE-2019-17666, that could be exploited to fully compromise vulnerable machines.

Nico Waisman, principal security engineer at Github, discovered a critical Linux flaw, tracked as CVE-2019-17666, that could be exploited by attackers to fully compromise vulnerable machines.

Found this bug on Monday. An overflow on the linux rtlwifi driver on P2P (Wifi-Direct), while parsing Notice of Absence frames.

The bug has been around for at least 4 years https://t.co/rigXOEId29 pic.twitter.com/vlVwHbUNmf — Nico Waisman (@nicowaisman) October 17, 2019

The vulnerability affects Linux versions through 5.3.6, according to the researchers the issue exists at least since 2015.

The vulnerability is a heap buffer overflow issue that resides in the “ rtlwifi ” driver that allows certain Realtek Wi-Fi modules to communicate with the Linux operating system.

“rtl_p2p_noa_ie in drivers/net/wireless/ realtek / rtlwifi / ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.” reads the description published by NVD.

The issue affects a feature called the Notice of Absence protocol implemented in the “ rtlwifi ” driver. The protocol is used by devices to autonomously power down their radio and save energy.

“The Notice of Absence (NoA) protocol allows a P2P GO to announce time intervals, referred to as absence periods, where P2P Clients are not allowed to access the channel, regardless of whether they are in power save or in active mode. In this way, a P2P GO can autonomously decide to power down its radio to save energy.” reads a paper on Device to device communications.

The expert noticed that the driver fails to correctly handle Notice of Absence packets.

“Nicolas Waisman noticed that even though noa_len is checked for a compatible length it’s still possible to overrun the buffers of p2pinfo since there’s no check on the upper bound of noa_num. Bound noa_num against P2P_MAX_NOA_NUM.” reads the security advisory.

An attacker could use packets with incorrect length to trigger the flaw and cause the system to crash.

An unauthenticated attacker could trigger the flaw only if he is within the radio range of the target device.

“The vulnerability triggers an overflow, which means it could make Linux crash or if a proper exploit is written (which is not trivial), an attacker could obtain remote code-execution,” Waisman explained to the Threatpost.

The Linux kernel team has already developed a fix that is currently under revision, it has not yet been included into the Linux kernel.

Pierluigi Paganini

(SecurityAffairs – Linux Kernel, hacking)