For instance, in the workstation case, a user could enter the following command at the WLAN adapter terminal to trigger the bug without needing any user interaction: iw dev wlan2 set power_mode=active
The above command would trigger a use after free and potentially allow execution of arbitrary code. With the mac80211 stack for the Linux kernel before version 5.19.14, it was possible to trigger a use after free condition in the mac80211_radiotap_rssi_from_scan function by sending a WPA handshake with the RSSI value set to -1 in network traffic.
Concretely, in the case of an attacker having a WLAN adapter on a victim’s local network, it was possible to send arbitrary network traffic to the mac80211_radiotap_rssi_from_scan function by sending a WPA handshake with the RSSI value set to -1. With the above scenario, an attacker could inject WLAN frames with RSSI value -1 at the victim’s adapter to trigger the use after free condition. This would cause the kernel to crash and potentially allow execution of arbitrary code. With this in mind, a malicious attacker could exploit the above WLAN bug to crash the kernel, leading to a Denial of Service. In other scenarios, this could be exploited by an attacker to crash the kernel, leading to a system crash. With the mac80211 stack for the Linux
References ^END ^
For instance, in the workstation case, a user could enter the following command at the WLAN adapter terminal to trigger the bug without needing any user interaction: iw dev wlan2 set power_mode=active
The above command would trigger a use after free and potentially allow execution of arbitrary code. With the mac80211 stack for the Linux kernel before version 5.19.14, it was possible to trigger a use after free condition in the mac80211_radiotap_rssi_from_scan function by sending a WPA handshake with the RSSI value set to -1 in network traffic.
Concretely, in the case of an attacker having a WLAN adapter on a victim’s local network, it was possible to send arbitrary network traffic to the mac80211_radiotap_rssi_from_scan function by sending a WPA handshake with the RSSI value set to -1. With the above scenario, an attacker could inject WLAN frames with RSSI value -1 at the victim’s adapter to trigger the use after free condition. This would cause the kernel to crash and potentially allow execution of arbitrary code. With this in mind, a malicious attacker could exploit the above WLAN bug to crash the kernel, leading to a Denial of Service. In other scenarios, this could be exploited by an attacker to crash the kernel, leading to a system crash. With this vulnerability patched through Debian 8 (