Vigil@nce: Linux kernel, denial of service via WiFi
August 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can send WiFi Beacon frames in order to stop the Linux
kernel.
Severity: 1/4
Consequences: denial of service of computer
Provenance: radio connection
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 17/08/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
A 802.11 host periodically scans the network, and the access point
answers a Beacon (Probe Response) containing the SSID (Service Set
IDentifier). A Beacon can contain optional information (named
"IE", Information Elements).
The cmp_ies() function of the net/wireless/scan.c file compares
received IEs. However, when the Linux kernel receives a Beacon
with no IE, followed by a Beacon with one IE, a NULL pointer is
dereferenced in cmp_ies().
An attacker can therefore send WiFi Beacon frames in order to stop
the Linux kernel, when it scans the network.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-8952
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-WiFi-8952