<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: wpa_supplicant P2P provision discovery processing vulnerability
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sat, 27 Feb 2021 07:54:16 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,
On Thu, Feb 25, 2021 at 09:03:50PM +0200, Jouni Malinen wrote:
Published: February 25, 2021
Latest version available from: https://w1.fi/security/2021-1/
Vulnerability
A vulnerability was discovered in how wpa_supplicant processes P2P
(Wi-Fi Direct) provision discovery requests. Under a corner case
condition, an invalid Provision Discovery Request frame could end up
reaching a state where the oldest peer entry needs to be removed. With
a suitably constructed invalid frame, this could result in use
(read+write) of freed memory. This can result in an attacker within
radio range of the device running P2P discovery being able to cause
unexpected behavior, including termination of the wpa_supplicant process
and potentially code execution.
Vulnerable versions/configurations
wpa_supplicant v1.0-v2.9 with CONFIG_P2P build option enabled
An attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a set of suitably
constructed management frames that trigger the corner case to be reached
in the management of the P2P peer table.
Possible mitigation steps
- Merge the following commit to wpa_supplicant and rebuild it:
P2P: Fix a corner case in peer addition based on PD Request
This patch is available from https://w1.fi/security/2021-1/
- Update to wpa_supplicant v2.10 or newer, once available
- Disable P2P (control interface command "P2P_SET disabled 1" or
"p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant
configuration file)
- Disable P2P from the build (remove CONFIG_P2P=y)
CVE-2021-27803 is assigned for this issue:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27803
Regards,
Salvatore
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
wpa_supplicant P2P provision discovery processing vulnerability Jouni Malinen (Feb 25)
Re: wpa_supplicant P2P provision discovery processing vulnerability Salvatore Bonaccorso (Feb 26)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->