Github employee discovers vulnerability in Realtek WiFi driver on Linux
A problem in the Linux drivers of Realtek WiFi chips could allow users to remotely crash or take over other people’s systems. The bug allows attackers to cause a buffer overflow on nearby Linux systems.
The bug, designated CVE-2019-17666, was introduced in 2013 Linux kernel version 3.10.1 and has not yet been fixed. The problem is in the RTLWIFI driver, which is used to support Realtek WiFi chips on Linux. At the very least, the bug appears to be capable of causing an operating system crash. The flaw may even allow malicious parties to take over entire systems.
The vulnerability could theoretically be exploited when an affected system is in radio range of a malicious user. This does not require access to the affected device, provided it has Wi-Fi turned on. The vulnerability uses the Notice of Absence feature for power saving. This function is incorporated in Wi-Fi Direct, a standard that allows two devices to connect via WiFi without the need for an access point. The vulnerability cannot be exploited if the WiFi on a device is turned off. Systems that contain a WiFi chip from another manufacturer are also safe. Ars Technica writes that Android devices with Realtek chips may also be vulnerable, based on two different links. This cannot yet be said with certainty. Google has not yet responded to this, Ars Technica reports.
The bug was found by Nico Waisman of Github. After he found this one, he shared his discovery on Twitter. According to Waisman, this bug is a serious problem. “It’s a vulnerability that a [buffer] can cause overflow over Wi-Fi on the Linux kernel, provided you use a Realtek driver,” Waisman tells Ars Technica. Waisman himself has not yet been able to create a proof of concept attack that allows remote code execution. Exploitation of the vulnerability on paper is possible, in the worst case a full-blown denial of service attack, in the best case attackers are given a shell, an environment where users can execute commands and programs.
Linux developers proposed a possible solution on Wednesday. It will probably be added to the Linux kernel shortly.