ALERT: Linux Kernel Bug allows Full System Takeover (CVE-2019-17666)

A critical vulnerability was discovered in the Linux Kernel which allows attackers to crash the operating system or completely take over the operating system. Researchers claim that this bug exists since at least 2015. This vulnerability discovered by Nico Waisman, principal security engineer at Github by using a vulnerability scanning tool.

The Linux Kernel Bug resides in the ‘rtlwifi‘ driver component of Realtek Wi-Fi modules used in Linux devices for establishing communication with the Linux operating system. The vulnerability tracked as CVE-2019-17666 and is classified as buffer overflow. The issue affects a power-saving feature known as Notice of Absence in rtlwifi driver. The flaw exists while parsing Notice of Absence frames due to lack of certain upper bound check. An attacker could use maliciously crafted packets with incorrect lengths to trigger the flaw. Also, auto patching can be of help here to patch this vulnerability.

The devices using a Realtek chip with WiFi turned ON deemed vulnerable. This vulnerability triggered only when the vulnerable device is in the radio range of a malicious device.

The Linux developers proposed a fix which incorporated into the OS kernel in a few days.

Affected Products by Linux Kernel Bug

Linux kernel through 5.3.6

Impact

Successful exploitation allows an attacker to crash the operating system or take over the operating system.

Solution

While there is no workaround or remediation available currently, we will continue to monitor this vulnerability and update as and when a fix is available.