CVE CyberSecurity Database News

CVE-2024-27410 - Linux Kernel Wifi nl80211 Mesh ID Vulnerability Explained

Poster -

Date: June 2024
Author: KernelSec Notes
Tags: Linux kernel, Wifi, nl80211, CVE-2024-27410, exploit, security

Introduction

A new security issue was found and fixed in the Linux kernel, tracked as CVE-2024-27410. This vulnerability affects the kernel's wifi subsystem, specifically the nl80211 interface, and relates to how mesh network IDs are handled when setting up a new mesh interface. In this post, we break down what happened, why it matters, and what code was changed to fix it, all in simple, easy-to-understand language.

What is the Vulnerability?

Linux allows wifi interfaces to be managed via netlink through the nl80211 subsystem. One powerful feature is the ability to create wifi mesh networks, where devices connect directly to one another without an access point.

The bug appears when trying to *change the mesh ID* (the unique name for a mesh network) at the same time as changing the type of a wifi interface to "mesh" mode. This used to be allowed by the kernel, but it caused a dangerous, unintended overwrite of kernel memory tied to the network interface. This could let an attacker confuse networking code inside the kernel, potentially crashing or destabilizing the system, or (in theory) subverting networking settings.

The kernel developer's description

> It's currently possible to change the mesh ID when the interface isn't yet in mesh mode, at the same time as changing it into mesh mode. This leads to an overwrite of data in the wdev->u union for the interface type it currently has, causing cfg80211_change_iface() to do wrong things when switching.

Who is Affected?

This bug affects any system running a Linux kernel with wifi and mesh capabilities enabled, and which allows untrusted userspace to issue nl80211 netlink commands (typically, systems where users can influence wifi configuration without privilege separation).

How Does The Exploit Work? *(Step By Step)*

1. Create a Network Interface: Begin with a non-mesh wifi interface (for example, a managed interface).
2. Send a Netlink Command: Via nl80211, try to change the wifi interface type to mesh while also setting the mesh ID.
3. Trigger the Overwrite: The kernel, as it processed the change, would overwrite memory used for the network interface before it was ready, possibly causing erratic behavior.

Exploit Example (Python using pyroute2)

Below is a *theoretical* exploit snippet that attempts to trigger this condition using the pyroute2 library. Note: Running this may crash your network or kernel!

from pyroute2 import IW

iface = "wlan"
mesh_id = "mysecretmesh"

iw = IW()
# The following operation is NOT safe! It is shown for demonstration purposes.
attrs = {
    'NL80211_ATTR_IFTYPE': 'mesh',
    'NL80211_ATTR_MESH_ID': mesh_id.encode('utf-8'),
}

# This would try to change the interface type and mesh ID at once
iw.nlm_request('NL80211_CMD_SET_INTERFACE', ifindex=iw.link_lookup(ifname=iface)[], attrs=attrs)

If this worked before the patch, you could have forced the kernel into a buggy state.

The Fix

Upstream developers decided the safest and simplest resolution was to disallow setting the mesh ID at the same time as changing the interface type.

Patch Snippet

Here is the crucial part of the fix from the mainline commit:

if ((changing_iftype && mesh_id_present) ||
    (changing_iftype && mesh_id_len_present)) {
    /* Disallow changing iftype and mesh ID at the same time */
    return -EINVAL;
}

Update Your Kernel: Get the latest kernel version from your distribution.

- Debian Security Tracker for CVE-2024-27410
- Red Hat Security Advisory
- Restrict netlink Privileges: Do not allow untrusted users to configure wifi interfaces or send arbitrary nl80211 requests.
- Audit Custom Wifi Tools: If you run your own wifi management code, make sure it does not both set the mesh ID and change the iftype at once.

References & Further Reading

- Linux Kernel Commit resolving CVE-2024-27410
- Wireless Wiki: nl80211
- pyroute2 documentation
- CVE Details for CVE-2024-27410

Summary

The CVE-2024-27410 bug in Linux's nl80211 wifi interface could let attackers abuse mesh ID changes while switching interface modes, leading to possible kernel crashes or weird wifi bugs. It's fixed by refusing to do both at once. Always keep your systems updated and double-check the way wifi interfaces are managed on your Linux devices.

Stay safe—and keep your wifi under control! 🚦


*Exclusive write-up by KernelSec Notes. Please reference this page if sharing.*

Timeline

Published on: 05/17/2024 12:15:11 UTC
Last modified on: 05/04/2025 12:55:34 UTC