Bug 1713059 (CVE-2019-3846) - CVE-2019-3846 kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c
Summary: CVE-2019-3846 kernel: Heap overflow in mwifiex_update_bss_desc_with_ie functi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-3846
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1714468 1714469 1714470 1714471 1714472 1714473 1714474 1714475 1714476 1714477 1715475 1753269 1825896 1825897 1825898 1825899 1825900 1825902
Blocks: 1713060
TreeView+ depends on / blocked
 
Reported: 2019-05-22 18:45 UTC by Pedro Sampaio
Modified: 2023-03-24 14:51 UTC (History)
51 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's Marvell wifi chip driver. A heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c allows remote attackers to cause a denial of service(system crash) or execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2019-09-12 12:45:58 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2767 0 None None None 2019-09-12 19:12:33 UTC
Red Hat Product Errata RHBA-2019:3176 0 None None None 2019-10-22 14:07:06 UTC
Red Hat Product Errata RHBA-2019:3184 0 None None None 2019-10-23 19:19:41 UTC
Red Hat Product Errata RHBA-2019:3185 0 None None None 2019-10-23 19:19:49 UTC
Red Hat Product Errata RHBA-2019:3288 0 None None None 2019-10-31 16:53:01 UTC
Red Hat Product Errata RHBA-2019:3879 0 None None None 2019-11-14 08:04:35 UTC
Red Hat Product Errata RHBA-2019:3880 0 None None None 2019-11-14 08:14:44 UTC
Red Hat Product Errata RHSA-2019:2703 0 None None None 2019-09-10 19:00:17 UTC
Red Hat Product Errata RHSA-2019:2741 0 None None None 2019-09-11 16:42:14 UTC
Red Hat Product Errata RHSA-2019:3055 0 None None None 2019-10-15 17:46:01 UTC
Red Hat Product Errata RHSA-2019:3076 0 None None None 2019-10-15 17:48:38 UTC
Red Hat Product Errata RHSA-2019:3089 0 None None None 2019-10-16 07:57:03 UTC
Red Hat Product Errata RHSA-2020:0174 0 None None None 2020-01-21 15:49:52 UTC
Red Hat Product Errata RHSA-2020:2289 0 None None None 2020-05-26 11:17:09 UTC

Description Pedro Sampaio 2019-05-22 18:45:25 UTC 
A flaw was found in Marvell wifi chip driver in Linux kernel. A heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c allows remote attackers to cause a denial of service(system crash) or possibly execute arbitrary code.

Upstream patch submission:

https://lore.kernel.org/linux-wireless/20190529125220.17066-1-tiwai@suse.de/
Comment 5 Wade Mealing 2019-05-28 07:34:05 UTC 
Mitigation:

This flaw requires a system with marvell wifi network card to be attempting to connect to a attacker controlled wifi network.  A temporary mitigation may be to only connect to known-good networks via wifi, or connect to a network via ethernet.  Alternatively if wireless networking is not used the mwifiex kernel module can be blacklisted to prevent misuse of the vulnerable code.
Comment 6 Wade Mealing 2019-05-28 08:01:47 UTC 
Statement:

This flaw is currently rated as Important as it is possible for an attacker to setup a wifi access point with identical configuration in another location and intercept have the system auto connect and possibly be exploited.
Comment 9 Petr Matousek 2019-05-30 12:55:07 UTC 
External References:

https://seclists.org/oss-sec/2019/q2/133
Comment 10 Petr Matousek 2019-05-30 12:56:38 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1715475]
Comment 11 Petr Matousek 2019-05-30 13:00:36 UTC 
Acknowledgments:

Name: huangwen (ADLab of Venustech)
Comment 12 errata-xmlrpc 2019-09-10 19:00:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703
Comment 13 errata-xmlrpc 2019-09-11 16:42:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2741 https://access.redhat.com/errata/RHSA-2019:2741
Comment 14 Product Security DevOps Team 2019-09-12 12:45:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3846
Comment 20 errata-xmlrpc 2019-10-15 17:45:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3055 https://access.redhat.com/errata/RHSA-2019:3055
Comment 21 errata-xmlrpc 2019-10-15 17:48:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3076 https://access.redhat.com/errata/RHSA-2019:3076
Comment 22 errata-xmlrpc 2019-10-16 07:57:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3089 https://access.redhat.com/errata/RHSA-2019:3089
Comment 28 errata-xmlrpc 2020-01-21 15:49:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0174 https://access.redhat.com/errata/RHSA-2020:0174
Comment 31 errata-xmlrpc 2020-05-26 11:17:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2289 https://access.redhat.com/errata/RHSA-2020:2289
Comment 36 Wade Mealing 2020-07-07 04:58:12 UTC 
After further investigation, it appears as though libtertas has mitigation against this flaw, marking el6 not affected.
Note You need to log in before you can comment on or make changes to this bug.