StarlingX

CVE-2019-10126 / CVE-2019-14895 / CVE-2019-17133 / CVE-2019-14901 / CVE-2019-16746: WiFi Driver Vulnerabilities

Bug #1864763 reported by Ghada Khalil
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Invalid
Low
Jim Somerville

Bug Description

The following CVEs are related to WiFi Drivers

CVE-2019-10126
status: fixed
cvss2Score: 7.5
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Description: A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.
https://nvd.nist.gov/vuln/detail/CVE-2019-10126

CVE-2019-14895
status: fixed
cvss2Score: 7.5
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Description: A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.
https://nvd.nist.gov/vuln/detail/CVE-2019-14895

CVE-2019-17133
status: fixed
cvss2Score: 7.5
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Description: In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow.
https://nvd.nist.gov/vuln/detail/CVE-2019-17133

CVE-2019-14901
status: fixed
cvss2Score: 10.0
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Description: A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.
https://nvd.nist.gov/vuln/detail/CVE-2019-14901

CVE-2019-16746
status: fixed
cvss2Score: 7.5
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Description: An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.
https://nvd.nist.gov/vuln/detail/CVE-2019-16746

See original description
Tags: stx.security
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Ghada Khalil (gkhalil)
information type: Public → Public Security
tags: added: stx.security
Ghada Khalil (gkhalil)
Changed in starlingx:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Ghada Khalil (gkhalil) wrote :

CVE-2019-10126:
Based on Jim Somerville's investigation, the wireless driver in question requires the config option CONFIG_MWIFIEX which is not set in stx. Therefore, we’re not vulnerable to this CVE.

Revision history for this message
Ghada Khalil (gkhalil) wrote :

Jim Somerville confirmed that StarlingX is not vulnerable to all 3 CVEs related to wifi drivers

Details are as follows:
From the config file:

CONFIG_WIRELESS=y
# CONFIG_CFG80211 is not set

So we have wireless enabled, but CFG80211 is not set.

The Marvell driver needs CFG80211, which isn't set, so the Marvell driver doesn't get built, either as built-in or as a module. I confirmed that it isn't in the list of in-tree modules that we build/ship.

The Kconfig for it:

config MWIFIEX
         tristate "Marvell WiFi-Ex Driver"
         depends on CFG80211

Confirmed as CONFIG_MWIFIEX doesn't appear in the final config file.

OK, now looking at CVE-2019-14895, the fix is to:
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c

So not vulnerable.

Looking at CVE-2019-17133, the fix is to:
net/wireless/wext-sme.c

So not in a driver per se

Looking at what brings it in:

./net/wireless/Makefile:cfg80211-$(CONFIG_CFG80211_WEXT) += wext-compat.o wext-sme.o

So CONFIG_CFG80211_WEXT needs to be set

config CFG80211_WEXT
         bool "cfg80211 wireless extensions compatibility" if !CFG80211_WEXT_EXPORT
         depends on CFG80211

It also depends on CFG80211 which isn't set.

Confirmed that CONFIG_CFG80211_WEXT does not appear in the final config file.

So also not vulnerable.

Revision history for this message
Ghada Khalil (gkhalil) wrote :

Marking as Invalid since StarlingX is not vulnerable.
This LP was opened for tracking purposes only.

Changed in starlingx:
status: Triaged → Invalid
assignee: Ghada Khalil (gkhalil) → Jim Somerville (jsomervi)
Revision history for this message
Ghada Khalil (gkhalil) wrote : Re: CVE-2019-10126 / CVE-2019-14895 / CVE-2019-17133 / CVE-2019-14901: WiFi Driver Vulnerabilities

Added CVE-2019-14901 to this launchpad as it is also related to wifi drivers.

description: updated
summary: - CVE-2019-10126 / CVE-2019-14895 / CVE-2019-17133: WiFi Driver
- Vulnerabilities
+ CVE-2019-10126 / CVE-2019-14895 / CVE-2019-17133 / CVE-2019-14901: WiFi
+ Driver Vulnerabilities
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Added CVE-2019-16746 to this launchpad as it is also related to wifi drivers.
StarlingX is not vulnerable given the 80211 config is not set

summary: - CVE-2019-10126 / CVE-2019-14895 / CVE-2019-17133 / CVE-2019-14901: WiFi
- Driver Vulnerabilities
+ CVE-2019-10126 / CVE-2019-14895 / CVE-2019-17133 / CVE-2019-14901 /
+ CVE-2019-16746: WiFi Driver Vulnerabilities
description: updated
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.