CVE-2022-32590 An issue with wlan's status check could lead to local escalation of privilege with System execution privileges. User interaction is not needed for exploitation.
When sending a DHCP option, the values are validated against a hard-coded prefix. However, due to a missing validation check, it is possible to specify any address. This could be used for instance to specify a different target host than the one intended. This could be abused for instance to setup a man-in-the-middle attack. We would like to highlight that this bug does not allow for remote code execution; however, it could be used for local privilege escalation. Patch ID: ALPS07299385; Issue ID: ALPS07299385. When sending a DHCP option, the values are validated against a hard-coded prefix. However, due to a missing validation check, it is possible to specify any address. This could be used for instance to specify a different target host than the one intended. This could be abused for instance to setup a man-in-the-middle attack. We would like to highlight that this bug does not allow for remote code execution; however, it could be used for local privilege escalation. Patch ID: ALPS07299385; Issue ID: ALPS07299385. When configuring a wireless interface, the wireless device may accept an IPv6 address that is not enabled on the wireless interface. This could be exploited for instance when a wireless device is configured to accept an IPv6 address that is behind a NAT, and the attacker is configured to accept only IPv4 connections. In this case, the attacker could send an IPv6
Bluetooth bugs
CVE-2018-19909: When parsing a Bluetooth LE packet, we may not properly validate the MAC address. This may cause an out of bounds or null pointer exception resulting in a buffer overflow that could allow for remote code execution. Patch ID: ALPS07299385; Issue ID: ALPS07299385. When configuring a wireless interface, the wireless device may accept an IPv6 address that is not enabled on the wireless interface. This could be exploited for instance when a wireless device is configured to accept an IPv6 address that is behind a NAT, and the attacker is configured to accept only IPv4 connections. In this case, the attacker could send an IPv6 option with no value in order to overwrite memory and gain control over the device. Patch ID: ALPS07299385; Issue ID: ALPS07299385. When sending a DHCP option, the values are validated against a hard-coded prefix. However, due to a missing validation check, it is possible to specify any address. This could be used for instance to specify a different target host than the one intended. This could be abused for instance to setup a man-in-the-middle attack. We would like to highlight that this bug does not allow for remote code execution; however, it could be used for local privilege escalation. Patch ID: ALPS07299385; Issue ID: ALPS07299385
Timeline
Published on: 10/07/2022 20:15:00 UTC
Last modified on: 10/12/2022 13:52:00 UTC