Bug 1763690 (CVE-2019-17666) - CVE-2019-17666 kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow
Summary: CVE-2019-17666 kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-17666
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1763692 1775221 1775222 1775223 1775225 1775226 1775227 1775228 1775229 1775230 1775231 1775232 1775233 1775235 1775236 1775237 1775238 1775239 1775240 1775241 1775242 1775243 1775244 1775261 1789842 1809607
Blocks: 1763694
TreeView+ depends on / blocked
 
Reported: 2019-10-21 11:16 UTC by Marian Rehak
Modified: 2020-04-22 07:35 UTC (History)
56 users (show)

Fixed In Version: kernel 5.3.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of the RealTek wireless drivers WiFi-direct (or WiFi peer-to-peer) driver implementation. When the RealTek wireless networking hardware is configured to accept WiFi-Direct or WiFi P2P connections, an attacker within the wireless network connectivity radio range can exploit a flaw in the WiFi-direct protocol known as "Notice of Absence" by creating specially crafted frames which can then corrupt kernel memory as the upper bounds on the length of the frame is unchecked and supplied by the incoming packet.
Clone Of:
Environment:
Last Closed: 2020-02-04 14:09:35 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0455 None None None 2020-02-10 01:49:02 UTC
Red Hat Product Errata RHBA-2020:0554 None None None 2020-02-19 21:45:09 UTC
Red Hat Product Errata RHBA-2020:0890 None None None 2020-03-18 07:42:23 UTC
Red Hat Product Errata RHBA-2020:0894 None None None 2020-03-18 15:16:49 UTC
Red Hat Product Errata RHBA-2020:0900 None None None 2020-03-19 09:34:38 UTC
Red Hat Product Errata RHBA-2020:1430 None None None 2020-04-14 08:23:38 UTC
Red Hat Product Errata RHBA-2020:1431 None None None 2020-04-14 08:15:24 UTC
Red Hat Product Errata RHBA-2020:1432 None None None 2020-04-14 08:15:33 UTC
Red Hat Product Errata RHSA-2020:0328 None None None 2020-02-04 08:52:10 UTC
Red Hat Product Errata RHSA-2020:0339 None None None 2020-02-04 13:12:06 UTC
Red Hat Product Errata RHSA-2020:0543 None None None 2020-02-18 14:43:50 UTC
Red Hat Product Errata RHSA-2020:0661 None None None 2020-03-03 10:04:20 UTC
Red Hat Product Errata RHSA-2020:0740 None None None 2020-03-09 14:31:57 UTC
Red Hat Product Errata RHSA-2020:0831 None None None 2020-03-17 10:38:02 UTC
Red Hat Product Errata RHSA-2020:0834 None None None 2020-03-17 16:16:46 UTC
Red Hat Product Errata RHSA-2020:0839 None None None 2020-03-17 16:17:54 UTC
Red Hat Product Errata RHSA-2020:1347 None None None 2020-04-07 09:33:55 UTC
Red Hat Product Errata RHSA-2020:1353 None None None 2020-04-07 09:16:45 UTC
Red Hat Product Errata RHSA-2020:1465 None None None 2020-04-14 17:40:25 UTC
Red Hat Product Errata RHSA-2020:1473 None None None 2020-04-14 14:52:08 UTC
Red Hat Product Errata RHSA-2020:1524 None None None 2020-04-22 07:35:14 UTC

Description Marian Rehak 2019-10-21 11:16:21 UTC
A flaw was found in the Linux kernels implementation of RealTek wireless drivers Wifi-direct (or wifi peer-to-peer) driver implementation.  

When the RealTek wireless networking hardware. is configured to accept Wifi-Direct (or Wifi P2P) connections an attacker within wireless network connectivity radio range is able to exploit a flaw in the Wifi-direct protocol known as "Notice of Absense" by creating specially crafted frames which can corrupt kernel memory as the upper bounds on the lenth of the frame is unchecked and supplied by the incoming packet.

At this time, Red Hat Enterprise Linux 6 and 7 and 8 do not enable Wifi-Direct by default, but a privileged user can use standard command line tooling available to enable this feature allowing it to be attacked.

Comment 1 Marian Rehak 2019-10-21 11:16:42 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1763692]

Comment 11 Marian Rehak 2019-11-25 13:08:19 UTC
Hello!

The information seems to check out, thank you very much for this improvement!

Comment 14 errata-xmlrpc 2020-02-04 08:52:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0328 https://access.redhat.com/errata/RHSA-2020:0328

Comment 15 errata-xmlrpc 2020-02-04 13:12:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0339 https://access.redhat.com/errata/RHSA-2020:0339

Comment 16 Product Security DevOps Team 2020-02-04 14:09:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-17666

Comment 18 errata-xmlrpc 2020-02-18 14:43:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:0543 https://access.redhat.com/errata/RHSA-2020:0543

Comment 20 errata-xmlrpc 2020-03-03 10:04:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:0661 https://access.redhat.com/errata/RHSA-2020:0661

Comment 23 errata-xmlrpc 2020-03-09 14:31:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0740 https://access.redhat.com/errata/RHSA-2020:0740

Comment 24 errata-xmlrpc 2020-03-17 10:37:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0831 https://access.redhat.com/errata/RHSA-2020:0831

Comment 25 errata-xmlrpc 2020-03-17 16:16:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0834 https://access.redhat.com/errata/RHSA-2020:0834

Comment 26 errata-xmlrpc 2020-03-17 16:17:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0839 https://access.redhat.com/errata/RHSA-2020:0839

Comment 28 errata-xmlrpc 2020-04-07 09:16:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:1353 https://access.redhat.com/errata/RHSA-2020:1353

Comment 29 errata-xmlrpc 2020-04-07 09:33:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:1347 https://access.redhat.com/errata/RHSA-2020:1347

Comment 30 errata-xmlrpc 2020-04-14 14:52:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:1473 https://access.redhat.com/errata/RHSA-2020:1473

Comment 31 errata-xmlrpc 2020-04-14 17:40:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1465 https://access.redhat.com/errata/RHSA-2020:1465

Comment 33 errata-xmlrpc 2020-04-22 07:35:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1524 https://access.redhat.com/errata/RHSA-2020:1524


Note You need to log in before you can comment on or make changes to this bug.