The TI WiLink WL18xx MCP driver does not limit the number of information elements (IEs) of type XCC_EXT_1_IE_ID or XCC_EXT_2_IE_ID that can be parsed in a management frame. Using a specially crafted frame, a buffer overflow can be triggered that can potentially lead to remote code execution.
TI-PSIRT-2022-120160
CVE-2023-29468
The CVSS base score for this issue can range from 8.8 to 9.6. The higher base score reflects a Confidentiality and Integrity impact of High. However, some systems can have a Confidentiality or Integrity Impact of Low depending on the characteristics of the host processor executing the WL18xx MCP driver and whether the disclosure or modification of the memory that can be accessed represents a direct or serious loss.
CVSS vector
An attacker within wireless range of a potentially vulnerable device can gain the ability to overwrite memory of the host processor executing the MCP driver.
In MCP8.5_SP3\WiLink\UWD\src\Services\mlmeParser.c, include the following code starting at line 720:
if( rsnIeIdx >= 3 )
{
TRACE(pHandle->hReport, REPORT_SEVERITY_ERROR, "MLME_PARSER: Number of RSN IEs exeeds 3\n");
return TI_NOK;
}
We want to thank Omri Ben Bassat of Microsoft for reporting this vulnerability to the TI Product Security Incident Response Team (PSIRT).