Improper Initialization in iNet wireless daemon (IWD)

#VU87338 Improper Initialization in iNet wireless daemon (IWD)

Published: 2024-03-11

Vulnerability identifier: #VU87338

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-28084

CWE-ID: CWE-665

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
iNet wireless daemon (IWD)
Hardware solutions / Drivers

Vendor: iwd.wiki.kernel.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper initialization in p2putil.c. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

iNet wireless daemon (IWD): 2.0 - 2.15

External links
http://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=52a47c9fd428904de611a90cbf8b223af879684d
http://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=d34b4e16e045142590ed7cb653e01ed0ae5362eb

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 40 update for iwd

Fedora 39 update for iwd

Denial of service in iNet wireless daemon (IWD)