CVE-2024-28084: Denial of Service (DoS) Vulnerability in iNet Wireless Daemon (IWD) Caused by Initialization Issues in p2putil.c

A newly discovered vulnerability, identified as CVE-2024-28084, poses a significant threat to the iNet Wireless Daemon (IWD) version 2.15 and earlier. This exploit allows attackers to cause a denial of service (DoS) and potentially gain unauthorized access to the affected systems. The root cause of the vulnerability lies in the improper initialization of data structures that lead to the failure of parsing advertised service information. In this post, we aim to provide an in-depth understanding of the vulnerability, how it can be exploited, and the steps required to mitigate the risks associated with it.

Problem Description

The primary cause of the CVE-2024-28084 vulnerability is linked with the improper initialization of data structures, as indicated in "p2putil.c," a critical file in iNet's Wireless Daemon (IWD) up to version 2.15. This initialization problem results in the failure to parse advertised service information and leads to a subsequent denial of service (DoS) and a possible system compromise.

Vulnerable Code Snippet in p2putil.c

1. struct p2putil_advertised_service_data {
2.    char *vnid;
3.    char *ssid;
4.    ...
5. };
6.
7. static int p2putil_parse_advertised_service(const void *data, size_t len,
8.                 struct p2putil_advertised_service_data *advertised_data)
9. {
10.   ...
11.   if ((vnid = l_util_find_ie(data, len, P2PUTIL_VENDOR_IE))) {
12.       digits = l_util_parse_ie(vnid, P2PUTIL_VENDOR_IE_LEN, &vnid);
13.   }
14.
15.   if (digits < P2PUTIL_VENDOR_IE_DEPTH) {
16.       l_error("Invalid vendor IE length");
17.       return -1;
18.   }
19.   ...
20. }

In the code snippet above, the p2putil_advertised_service_data structure (line 1) fails to initialize some variables, such as vnid and ssid. The uninitialized data is then utilized while parsing the advertised service information in the p2putil_parse_advertised_service function (line 7). The failure of initialization and parsing of vendor IE length (lines 11-18) results in a return value of -1 (line 17), which causes a subsequent crash of the wireless daemon or other unforeseen system impacts.

Exploit Details

An attacker could exploit this vulnerability by sending specially crafted wireless service advertisements to the target system running an affected version of iNet Wireless Daemon (IWD). The failure to parse advertised service information, as disclosed in the vulnerable code snippet, leads to a denial of service (DoS) and potentially other unspecified impacts.

Mitigation

To mitigate the risks associated with the CVE-2024-28084 vulnerability, we recommend the following steps:

Upgrade to the latest version of iNet Wireless Daemon (IWD), which addresses this vulnerability.

2. Monitor the network for any unauthorized access or activities, and promptly report any suspicious activities to the appropriate personnel.

Original References

- iNet Wireless Daemon (IWD) GitHub Repository
- Commit Fixing Initialization Issue in p2putil.c

Conclusion

The CVE-2024-28084 vulnerability is a critical issue that affects iNet Wireless Daemon (IWD) through version 2.15. It is crucial to understand and mitigate the associated risks to prevent attackers from causing potential denial of service (DoS) or gaining unauthorized access. By following the recommended steps outlined above, you can effectively safeguard your systems and prevent any negative impacts caused by this vulnerability.

Timeline

Published on: 03/03/2024 21:15:49 UTC
Last modified on: 03/23/2024 03:15:11 UTC