Bug 1933361 (CVE-2021-27803) - CVE-2021-27803 wpa_supplicant: Use-after-free in P2P provision discovery processing
Summary: CVE-2021-27803 wpa_supplicant: Use-after-free in P2P provision discovery proc...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-27803
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1933362 1933568 1933569 1933570 1933571 1933572 1933573 1935548 2048290
Blocks: 1933363
TreeView+ depends on / blocked
 
Reported: 2021-02-26 19:43 UTC by Pedro Sampaio
Modified: 2022-05-17 10:50 UTC (History)
7 users (show)

Fixed In Version: wpa_supplicant 2.10
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the wpa_supplicant, in the way it processes P2P (Wi-Fi Direct) provision discovery requests. This flaw allows an attacker who is within radio range of the device running P2P discovery to cause termination of the wpa_supplicant process or potentially cause code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-03-10 23:25:45 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0808 0 None None None 2021-03-10 19:52:07 UTC
Red Hat Product Errata RHSA-2021:0809 0 None None None 2021-03-11 07:40:56 UTC
Red Hat Product Errata RHSA-2021:0816 0 None None None 2021-03-15 10:38:15 UTC
Red Hat Product Errata RHSA-2021:0818 0 None None None 2021-03-15 11:41:40 UTC

Description Pedro Sampaio 2021-02-26 19:43:16 UTC 
A vulnerability was discovered in how wpa_supplicant processes P2P (Wi-Fi Direct) provision discovery requests. Under a corner case condition, an invalid Provision Discovery Request frame could end up reaching a state where the oldest peer entry needs to be removed. With a suitably constructed invalid frame, this could result in use (read+write) of freed memory. This can result in an attacker within radio range of the device running P2P discovery being able to cause unexpected behavior, including termination of the wpa_supplicant process and potentially code execution.

References:

https://www.openwall.com/lists/oss-security/2021/02/25/3
https://w1.fi/security/2021-1/
Comment 1 Pedro Sampaio 2021-02-26 19:43:41 UTC 
Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1933362]
Comment 2 Huzaifa S. Sidhpurwala 2021-03-01 05:47:53 UTC 
Upstream patch: https://w1.fi/cgit/hostap/commit/src/p2p/p2p_pd.c?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32
Comment 3 Huzaifa S. Sidhpurwala 2021-03-01 05:56:14 UTC 
External References:

https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt
Comment 5 Huzaifa S. Sidhpurwala 2021-03-01 06:02:58 UTC 
Statement:

An attacker (or a system controlled by the attacker) needs to be within radio range of the vulnerable system to send a set of suitably constructed management frames that trigger the corner case to be reached in the management of the P2P peer table.
Comment 8 RaTasha Tillery-Smith 2021-03-01 16:49:19 UTC 
Mitigation:

Disable the P2P (control interface command "P2P_SET disabled 1" or "p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant configuration file)
Comment 11 errata-xmlrpc 2021-03-10 19:52:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0808 https://access.redhat.com/errata/RHSA-2021:0808
Comment 12 Product Security DevOps Team 2021-03-10 23:25:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27803
Comment 13 errata-xmlrpc 2021-03-11 07:40:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0809 https://access.redhat.com/errata/RHSA-2021:0809
Comment 14 errata-xmlrpc 2021-03-15 10:38:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0816 https://access.redhat.com/errata/RHSA-2021:0816
Comment 15 errata-xmlrpc 2021-03-15 11:41:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0818 https://access.redhat.com/errata/RHSA-2021:0818
Note You need to log in before you can comment on or make changes to this bug.