The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.
The vulnerability is caused by a failure to verify the length of the IEEE 802.11s Mesh ID field in a beacon frame before copying it to a buffer allocated on the kernel heap. When FreeBSD operates in wireless network scanning mode (i.e., not connected to any SSID), it processes received beacon frames from its surroundings. An attacker can broadcast a maliciously crafted beacon frame containing an excessively long Mesh ID field, leading to a heap-based buffer overflow and overwriting critical kernel data structures. The consequence is the ability to execute arbitrary code remotely in the kernel context of the operating system.
An attacker within wireless network range can gain full control of the system through RCE in kernel space, meaning the ability to compromise the confidentiality, integrity, and availability of the entire system.
Apply patches available from the vendor in accordance with the references — see FreeBSD advisory FreeBSD-SA-22:07.wifi_meshid available at https://security.freebsd.org/advisories/FreeBSD-SA-22:07.wifi_meshid.asc. As a temporary measure, consider disabling Wi-Fi interfaces or avoiding network scanning mode on vulnerable systems.
FreeBSD — versions indicated in the vendor's references (advisory FreeBSD-SA-22:07.wifi_meshid)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFreebsd
OSFreebsd12.313.013.1< 12.312.4 – 13.0 (bez)
Related vulnerabilities
FreeBSD UMTX_SHM_DESTROY: use-after-free umożliwiający RCE lub ucieczkę z sandboxa
RCE w implementacji NFS w OpenBSD i FreeBSD — zdalne wykonanie kodu
In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5...
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket...
In FreeBSD 12.2-STABLE before r368250, 11.4-STABLE before r368253, 12.2-RELEASE before p1, 12.1-RELEASE before...