SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux Kernel Buffer Overflow in brcmf_cfg80211_mgmt_tx() Lets Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1038981
SecurityTracker URL:  http://securitytracker.com/id/1038981
CVE Reference:   CVE-2017-7541   (Links to External Site)
Date:  Jul 25 2017
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the Linux kernel. A local user can obtain elevated privileges on the target system.

A local user can send a specially crafted NL80211_CMD_FRAME packet via netlink to trigger a buffer overflow in the brcmf_cfg80211_mgmt_tx() function and execute arbitrary code on the target system.

Stanislaw Gruszka reported this vulnerability.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued a source code fix, available at:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f44c9a41386729fea410e688959ddaa9d51be7c

Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 29 2017 (Ubuntu Issues Fix) Linux Kernel Buffer Overflow in brcmf_cfg80211_mgmt_tx() Lets Local Users Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu Linux 16.04 LTS.
Sep 19 2017 (Ubuntu Issues Fix) Linux Kernel Buffer Overflow in brcmf_cfg80211_mgmt_tx() Lets Local Users Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu Linux 17.04.
Sep 19 2017 (Ubuntu Issues Fix) Linux Kernel Buffer Overflow in brcmf_cfg80211_mgmt_tx() Lets Local Users Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS.



 Source Message Contents

Subject:  [oss-security] CVE-2017-7541: Linux kernel: Memory corruption due to a buffer overflow in brcmf_cfg80211_mgmt_tx()

Hello,

Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx()
function in Linux kernels from v3.9-rc1 to v4.13-rc1. It can be triggered by sending
crafted NL80211_CMD_FRAME packet via netlink.

There was a research if this flaw could be triggered remotely, by sending packets on
the air, the result follows:

RX notification is regarding event send to a userspace program, which is
usually the "wpa_supplicant" or "hostapd". The userspace can register
in kernel via NL80211_CMD_REGISTER_FRAME to pass management frames to it.
This flaw would be remote exploitable if a userspace program registers to
receive some management frames and then pass it back to a kernel without
a modification. I'm not sure if any user space program do that, I think
"hostapd" or "wpa_supplicant" don't, but to be sure, it will require to
fully analyze theirs source code.
(Stanislaw Gruszka <sgruszka@redhat.com>)

So, this flaw is unlikely to be triggered remotely, as certain userspace code is needed
for this. An unprivileged local user could use this flaw to induce kernel memory corruption
on the system, leading to a crash. Due to the nature of the flaw, privilege escalation
cannot be fully ruled out, although we believe it is unlikely.

cvss3=6.8/CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
cwe=CWE-120

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1473198

https://bugzilla.novell.com/show_bug.cgi?id=1049645

https://www.spinics.net/lists/stable/msg180994.html

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f44c9a41386729fea410e688959ddaa9d51be7c
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC