According to an email that was sent today to the Open Source Software Security mailing list, there is a major flaw in the wireless network client code used by Android, Linux, and BSD Unix- based operating systems, as well as Windows WiFi device drivers that could allow attackers to crash devices or even potentially inject malicious software into their memory over wireless P2P network names. In other words, the SSID of the network would contain malicious code that could effect machines scanning for peer to peer wireless networks.
The vulnerability was discovered by the security team at Alibaba and reported to the wpa_supplicant maintainer Jouni Mailnen by the Google security team. According to the email, SSIDs have a valid length of 0-32 octets (1 octet = 8 bits), which in general equates to 1 ASCII character per octet. However, according to the email from Mailnen, “it is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets. wpa_supplicant was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device.” So would-be attackers would have about a tweet’s worth of extra characters to do your dirty deeds, thanks to this WiFi bug.
He went on to explain that this WiFi bug could allow for a denial of service attack by overloading the heap and crashing the WiFi drivers or even execute a short line of code that was included in the SSID during the “handshake” that takes place during a peer-to-peer network connection (GO negotiation), “This could result in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to wpa_supplicant process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution.”
Toward the end of the email he explained a couple of ways to mitigate the issue, including a patch for the WiFi bug, which will hopefully come as updates to all of our favorite platforms in the coming months, especially since Google were the ones that reported the bug in the first place. The bad news is, of course, that the numerous devices out there that are no longer software supported but are still used (looking at you, Android) will be open to attack in this way indefinitely.