A vulnerability was discovered in how wpa_supplicant processes P2P (Wi-Fi Direct) provision discovery requests. Under a corner case condition, an invalid Provision Discovery Request frame could end up reaching a state where the oldest peer entry needs to be removed. With a suitably constructed invalid frame, this could result in use (read+write) of freed memory. This can result in an attacker within radio range of the device running P2P discovery being able to cause unexpected behavior, including termination of the wpa_supplicant process and potentially code execution. References: https://www.openwall.com/lists/oss-security/2021/02/25/3 https://w1.fi/security/2021-1/
Created wpa_supplicant tracking bugs for this issue: Affects: fedora-all [bug 1933362]
Upstream patch: https://w1.fi/cgit/hostap/commit/src/p2p/p2p_pd.c?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32
External References: https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt
Statement: An attacker (or a system controlled by the attacker) needs to be within radio range of the vulnerable system to send a set of suitably constructed management frames that trigger the corner case to be reached in the management of the P2P peer table.
Mitigation: Disable the P2P (control interface command "P2P_SET disabled 1" or "p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant configuration file)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0808 https://access.redhat.com/errata/RHSA-2021:0808
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27803
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0809 https://access.redhat.com/errata/RHSA-2021:0809
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0816 https://access.redhat.com/errata/RHSA-2021:0816
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0818 https://access.redhat.com/errata/RHSA-2021:0818