Wi-Fi software security bug could leave Android, Windows, Linux open to attack

In an e-mail today to the Open Source Software Security (oss-security) mailing list, the maintainer of wireless network client code used by Android, the Linux and BSD Unix operating systems, and Windows Wi-Fi device drivers sent an urgent fix to a flaw that could allow attackers to crash devices or even potentially inject malicious software into their memory. The flaw could allow these sorts of attacks via a malicious wireless peer-to-peer network name.

The vulnerability was discovered by the security team at Alibaba and reported to wpa_supplicant maintainer Jouni Malinen by the Google security team. The problem, Malinen wrote, is in how wpa_supplicant "uses SSID information parsed from management frames that create or update P2P peer entries" in the list of available networks. The vulnerability is similar in some ways to the Heartbleed vulnerability in that it doesn't properly check the length of transmitted data. But unlike Heartbleed, which let an attacker read contents out of memory from beyond what OpenSSL was supposed to allow, the wpa_supplicant vulnerability works both ways: it could expose contents of memory to an attacker, or allow the attacker to write new data to memory.

That's because the code fails to check the length of incoming SSID information and writes information beyond the valid 32 octets of data to memory beyond the range it was allocated. SSID information "is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets," Malinen wrote, and the code "was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device. This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition, about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation."

Read 2 remaining paragraphs | Comments