Bug 1713059 (CVE-2019-3846) - CVE-2019-3846 kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c
Summary: CVE-2019-3846 kernel: Heap overflow in mwifiex_update_bss_desc_with_ie functi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-3846
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1714468 1714469 1714470 1714471 1714472 1714473 1714474 1714475 1714476 1714477 1715475 1753269 1825896 1825897 1825898 1825899 1825900 1825902
Blocks: 1713060
TreeView+ depends on / blocked
 
Reported: 2019-05-22 18:45 UTC by Pedro Sampaio
Modified: 2020-07-07 04:58 UTC (History)
51 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's Marvell wifi chip driver. A heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c allows remote attackers to cause a denial of service(system crash) or execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2019-09-12 12:45:58 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2767 None None None 2019-09-12 19:12:33 UTC
Red Hat Product Errata RHBA-2019:3176 None None None 2019-10-22 14:07:06 UTC
Red Hat Product Errata RHBA-2019:3184 None None None 2019-10-23 19:19:41 UTC
Red Hat Product Errata RHBA-2019:3185 None None None 2019-10-23 19:19:49 UTC
Red Hat Product Errata RHBA-2019:3288 None None None 2019-10-31 16:53:01 UTC
Red Hat Product Errata RHBA-2019:3879 None None None 2019-11-14 08:04:35 UTC
Red Hat Product Errata RHBA-2019:3880 None None None 2019-11-14 08:14:44 UTC
Red Hat Product Errata RHSA-2019:2703 None None None 2019-09-10 19:00:17 UTC
Red Hat Product Errata RHSA-2019:2741 None None None 2019-09-11 16:42:14 UTC
Red Hat Product Errata RHSA-2019:3055 None None None 2019-10-15 17:46:01 UTC
Red Hat Product Errata RHSA-2019:3076 None None None 2019-10-15 17:48:38 UTC
Red Hat Product Errata RHSA-2019:3089 None None None 2019-10-16 07:57:03 UTC
Red Hat Product Errata RHSA-2020:0174 None None None 2020-01-21 15:49:52 UTC
Red Hat Product Errata RHSA-2020:2289 None None None 2020-05-26 11:17:09 UTC

Description Pedro Sampaio 2019-05-22 18:45:25 UTC
A flaw was found in Marvell wifi chip driver in Linux kernel. A heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c allows remote attackers to cause a denial of service(system crash) or possibly execute arbitrary code.

Upstream patch submission:

https://lore.kernel.org/linux-wireless/20190529125220.17066-1-tiwai@suse.de/

Comment 5 Wade Mealing 2019-05-28 07:34:05 UTC
Mitigation:

This flaw requires a system with marvell wifi network card to be attempting to connect to a attacker controlled wifi network.  A temporary mitigation may be to only connect to known-good networks via wifi, or connect to a network via ethernet.  Alternatively if wireless networking is not used the mwifiex kernel module can be blacklisted to prevent misuse of the vulnerable code.

Comment 6 Wade Mealing 2019-05-28 08:01:47 UTC
Statement:

This flaw is currently rated as Important as it is possible for an attacker to setup a wifi access point with identical configuration in another location and intercept have the system auto connect and possibly be exploited.

Comment 9 Petr Matousek 2019-05-30 12:55:07 UTC
External References:

https://seclists.org/oss-sec/2019/q2/133

Comment 10 Petr Matousek 2019-05-30 12:56:38 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1715475]

Comment 11 Petr Matousek 2019-05-30 13:00:36 UTC
Acknowledgments:

Name: huangwen (ADLab of Venustech)

Comment 12 errata-xmlrpc 2019-09-10 19:00:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703

Comment 13 errata-xmlrpc 2019-09-11 16:42:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2741 https://access.redhat.com/errata/RHSA-2019:2741

Comment 14 Product Security DevOps Team 2019-09-12 12:45:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3846

Comment 20 errata-xmlrpc 2019-10-15 17:45:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3055 https://access.redhat.com/errata/RHSA-2019:3055

Comment 21 errata-xmlrpc 2019-10-15 17:48:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3076 https://access.redhat.com/errata/RHSA-2019:3076

Comment 22 errata-xmlrpc 2019-10-16 07:57:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3089 https://access.redhat.com/errata/RHSA-2019:3089

Comment 28 errata-xmlrpc 2020-01-21 15:49:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0174 https://access.redhat.com/errata/RHSA-2020:0174

Comment 31 errata-xmlrpc 2020-05-26 11:17:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2289 https://access.redhat.com/errata/RHSA-2020:2289

Comment 36 Wade Mealing 2020-07-07 04:58:12 UTC
After further investigation, it appears as though libtertas has mitigation against this flaw, marking el6 not affected.


Note You need to log in before you can comment on or make changes to this bug.