DESCRIPTION

Multiple vulnerabilities were found in the Linux Kernel mac80211 and cfg80211 framework. OpenWrt takes the mac80211 and cfg80211 framework from the wireless backports project which copies it from a more recent Linux kernel version.

These vulnerabilities are in the multi BSSID (MBSSID) beacon parsing code and the P2P-device beacon parsing code.

• CVE-2022-41674 [0]: fix u8 overflow in cfg80211_update_notlisted_nontrans (max 256 byte overwrite) (RCE)
• CVE-2022-42719 [1]: wifi: mac80211: fix MBSSID parsing use-after-free use after free condition (RCE)
• CVE-2022-42720 [2]: wifi: cfg80211: fix BSS refcounting bugs ref counting use-after-free possibilities (RCE)
• CVE-2022-42721 [3]: wifi: cfg80211: avoid nontransmitted BSS list corruption list corruption (DOS)
• CVE-2022-42722 [4]: wifi: mac80211: fix crash in beacon protection for P2P-device NULL ptr dereference crash (DOS)

REQUIREMENTS

The vulnerabilities are mostly in the Wifi beacon parsing code. OpenWrt operating as Wifi AP or Wifi client is affected when it scans for Wifi networks. A malicious attacker could exploit this by sending specially crafted packets while the target is scanning for Wifi networks. A malicious attacker has to be physically close to the target to exploit these vulnerabilities. This can be exploited by attackers which are not necessary part of the network, no authentication needed. Wifi drivers in OpenWrt will parse beacons from arbitrary Wifi devices nearby.

All Wifi drivers in OpenWrt are using cfg80211 and many are using mac80211.

MITIGATIONS

You need to update to a fixed OpenWrt version. Fixes for the vulnerabilities are integrated in OpenWrt 22.03.2 and OpenWrt 21.02.5. Upgrading the packages with opkg update is not sufficient.

The fix is contained in the following and later versions:

• OpenWrt master: 2022-10-13 (fixed by reboot-20925-g26f400210d6b)
• OpenWrt 22.03: 2022-10-13 (fixed by v22.03.1-16-gf1de43d0a0)
• OpenWrt 21.02: 2022-10-13 (fixed by v21.02.4-2-gfa9a932fdb)

AFFECTED VERSIONS

To our knowledge, OpenWrt snapshot images are affected. OpenWrt stable release versions 22.03.1 and OpenWrt 21.02.4 and earlier are affected. Older versions of OpenWrt (e.g. OpenWrt 19.07, OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

CREDITS

Thanks to security researcher Sönke Huster from TU Darmstadt ( shuster@seemoo.tu-darmstadt.de ) and Johannes Berg from Intel for identifying the problems and fixing them in the upstream Linux kernel.
[5,6].

REFERENCES

0. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41674
1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42719
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42720
3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42721
4. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42722
5. https://lwn.net/ml/oss-security/20221013101046.GB20615@suse.de/
6. https://lwn.net/ml/oss-security/ff7256bc-418b-e833-18d8-bc9700f6d77e@seemoo.tu-darmstadt.de/

I am using 19.07.10 and my devices cannot be upgraded due to 4/32 issue. What is the worse consequence which I can expect from these vulnerabilities being exploited?

None, as the issue arose with later kernel version.

Well, as anomeome mentioned, not this issue, but others - some of which might be remotely exploited (if not now, then surely a few months down the line).

Does this mean that all snapshots are (still) affected, incl current or snapshots before 13-10?

It has been fixed in all maintained branches, 21.02.5, 22.03.2 and recent master snapshots (built after the 13th). ...but all this was mentioned in the original annoucement, including the exact commit IDs.