Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise

linux wi-fi bug

A patch is currently under revision but has not yet been incorporated into the Linux kernel.

A critical Linux bug has been discovered that could allow attackers to fully compromise vulnerable machines. A fix has been proposed but has not yet been incorporated into the Linux kernel.

The flaw (CVE-2019-17666), which was classified as critical in severity, exists in the “rtlwifi” driver, which is a software component used to allow certain Realtek Wi-Fi modules, used in Linux devices, to communicate with the Linux operating system.

Specifically, the driver is vulnerable to a buffer overflow attack, where a buffer (a region in physical memory storage used to temporarily store data while it is being moved) is allocated in the heap portion of memory (a region of process’s memory which is used to store dynamic variables). That excess data in turn corrupts nearby space in memory and could alter other data, opening the door for malicious attacks. This specific flaw could enable attackers to launch a variety of attacks – from crashing vulnerable Linux machines to full takeover.

“The bug is serious…  if an attacker is currently using that Realtek driver (rtlwifi), then it’s vulnerable to this bug and someone on a wireless distance range can potentially attack him,” Nico Waisman, principal security engineer at Github, who discovered the bug and posted his findings Thursday on Twitter, told Threatpost.

The vulnerable piece of the rtlwifi driver is a feature called the Notice of Absence protocol. This protocol helps devices autonomously power down their radio to save energy. The flaw exists in how the driver handles Notice of Absence packets: It does not check certain packets for a compatible length, so an attacker could add specific information elements that would cause the system to crash.

According to Waisman, to exploit the flaw an attacker would send a “malicious” packet that will trigger the vulnerability on the Linux machine. This can be done if the attacker is within radio range of the vulnerable device.  There is no need for an attacker to have any sort of authentication, he said.

The flaw can be exploited to trigger various attacks, he added.

“The vulnerability triggers an overflow, which means it could make Linux crash or if a proper exploit is written (which is not trivial), an attacker could obtain remote code-execution,” Waisman told Threatpost.

Versions through 5.3.6 of the Linux kernel operating system are impacted — and researchers said it has been in existence for four years before discovery. In response, the Linux kernel team has developed a patch which is currently under revision but has not yet been incorporated into the Linux kernel.

Realtek did not respond to a request for comment from Threatpost.

What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles