Bug 1925152 (CVE-2021-0326)
| Summary: | CVE-2021-0326 wpa_supplicant: P2P group information processing vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bgalvani, blueowl, dcaratti, dcbw, lkundrak, sukulkar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | wpa_supplicant 2.10 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A buffer overflow flaw was found in the P2P (Wi-Fi Direct) support of wpa_supplicant. This flaw allows an attacker within radio range of the vulnerable system to send a specially crafted management frame that triggers a P2P peer device information to be created or updated, leading to the crashing of the wpa_supplicant process or arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:38:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1925153, 1928763, 1928765, 1933597 | ||
| Bug Blocks: | 1925155 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-02-04 13:53:01 UTC
Created wpa_supplicant tracking bugs for this issue: Affects: fedora-all [bug 1925153] External References: https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt The p2p_copy_client_info() function in p2p/p2p.c did not properly check the number of 'sec_dev_type' entries (num_sec_dev_types) leading to a potential buffer overflow when storing a copy of the secondary device types into WPS secondary device type list (wps_sec_dev_type_list). This is prevented in the fixed version by capping the length at WPS_SEC_DEV_TYPE_MAX_LEN, i.e., the maximum size of the buffer. Mitigation: Disable Wi-Fi P2P support (Wi-Fi Direct) if not needed, by using the control interface command "P2P_SET disabled 1" or setting "p2p_disabled=1" in wpa_supplicant configuration file. FEDORA-2021-defe51d282 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-defe51d282 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1686 https://access.redhat.com/errata/RHSA-2021:1686 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-0326 |