[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] wpa_supplicant P2P provision discovery processing vulnerability
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2021-02-27 6:54:16
Message-ID: YDnsmGZ4hL6knMJD () eldamar ! lan
[Download RAW message or body]

Hi,

On Thu, Feb 25, 2021 at 09:03:50PM +0200, Jouni Malinen wrote:
> Published: February 25, 2021
> Latest version available from: https://w1.fi/security/2021-1/
> 
> 
> Vulnerability
> 
> A vulnerability was discovered in how wpa_supplicant processes P2P
> (Wi-Fi Direct) provision discovery requests. Under a corner case
> condition, an invalid Provision Discovery Request frame could end up
> reaching a state where the oldest peer entry needs to be removed. With
> a suitably constructed invalid frame, this could result in use
> (read+write) of freed memory. This can result in an attacker within
> radio range of the device running P2P discovery being able to cause
> unexpected behavior, including termination of the wpa_supplicant process
> and potentially code execution.
> 
> 
> Vulnerable versions/configurations
> 
> wpa_supplicant v1.0-v2.9 with CONFIG_P2P build option enabled
> 
> An attacker (or a system controlled by the attacker) needs to be within
> radio range of the vulnerable system to send a set of suitably
> constructed management frames that trigger the corner case to be reached
> in the management of the P2P peer table.
> 
> 
> Possible mitigation steps
> 
> - Merge the following commit to wpa_supplicant and rebuild it:
> 
>   P2P: Fix a corner case in peer addition based on PD Request
>   
>   This patch is available from https://w1.fi/security/2021-1/
>   
> - Update to wpa_supplicant v2.10 or newer, once available
> 
> - Disable P2P (control interface command "P2P_SET disabled 1" or
>   "p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant
>   configuration file)
> 
> - Disable P2P from the build (remove CONFIG_P2P=y)

CVE-2021-27803 is assigned for this issue:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27803

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]