SB2023010309 - Multiple vulnerabilities in Linux kernel WILC1000 wireless driver
Published: January 3, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2022-47521)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver. A local user trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames and execute arbitrary code with elevated privileges.
2) Out-of-bounds read (CVE-ID: CVE-2022-47520)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver. A local user can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet and perform a denial of service (DoS) attack.
3) Out-of-bounds write (CVE-ID: CVE-2022-47519)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver. A local user can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames and execute arbitrary code with elevated privileges.
4) Out-of-bounds write (CVE-ID: CVE-2022-47518)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing a number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver. A local user can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames and execute arbitrary code with elevated privileges.
Remediation
Install update from vendor's website.
References
- https://github.com/torvalds/linux/commit/f9b62f9843c7b0afdaecabbcebf1dbba18599408
- https://lore.kernel.org/r/20221123153543.8568-4-philipturnbull@github.com
- https://lists.debian.org/debian-lts-announce/2022/12/msg00031.html
- https://github.com/torvalds/linux/commit/cd21d99e595ec1d8721e1058dcdd4f1f7de1d793
- https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.com
- https://lore.kernel.org/r/20221123153543.8568-3-philipturnbull@github.com
- https://github.com/torvalds/linux/commit/051ae669e4505abbe05165bebf6be7922de11f41
- https://lore.kernel.org/r/20221123153543.8568-5-philipturnbull@github.com
- https://github.com/torvalds/linux/commit/0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0