Critical Linux Wi-Fi Bug Could Result in Full System Compromise

By Richard Anderson

A critical flaw in the Linux rtlwifi driver has been identified which could allow a full system compromise. A patch is being prepared but as not yet been added to the Linux kernel.

The rtlwifi driver is used to ensure compatibility of Realtek Wi-Fi chips on Linux devices and allow them to communicate with the Linux operating system. The vulnerability – CVE-2019-17666 – has existed for around 4 years but has only just been discovered. The flaw could allow an attacker to crash a targeted device or achieve a full system takeover.

The flaw is a buffer overflow vulnerability in the Linux kernel, specifically the Notice of Absence protocol of the rtlwifi driver. The vulnerability could be exploited on a device with a Realtek chip if the user is within range of an attacker-controlled device. This will limit the potential for the flaw to be exploited, but the flaw is still serious.

The attacker could conduct the attack without any user interaction if Wi-Fi is enabled on a vulnerable device. In such cases, an attacker could send a malicious packet to Wi-Fi beacons that includes vendor-specific information which would trigger the vulnerability. The vulnerability cannot be exploited if Wi-Fi is not turned on nor if third-party Wi-Fi chips are used. Android devices that use Realtek chips are also potentially vulnerable to attack.

Crashing a device is relatively easy, and while more involved, an attacker could potentially remotely execute code on a vulnerable device. A Proof of Concept exploit that allows remote code execution has not yet been developed.

The vulnerability was discovered by security researcher Nico Waisman, principal security engineer at GitHub. The vulnerability has been reported and a patch has been proposed, but it has yet to be made available. The flaw is present in versions 5.3.6 of the Linux kernel operating system and earlier. The patch is expected to be released in the next few days and should be applied as soon as possible.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news