Jouni Malinen

9 exploits Active since Feb 2021
CVE-2023-52160 NOMISEC MEDIUM STUB
Debian Linux < 2.10 - Authentication Bypass
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
7 stars
CVSS 6.5
CVE-2020-27301 NOMISEC HIGH WORKING POC
Realtek RTL8710 and RTL8195A Firmware - Remote Code Execution via AES_UnWRAP Buffer Overflow
A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "AES_UnWRAP" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake.
1 stars
CVSS 8.0
CVE-2022-23303 NOMISEC CRITICAL WORKING POC
hostapd and wpa_supplicant < 2.10 - Side Channel Attack via SAE Cache Access Patterns
The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494.
CVSS 9.8
CVE-2021-0326 NOMISEC HIGH WRITEUP
Android - Out-of-bounds Write in p2p_copy_client_info
In p2p_copy_client_info of p2p.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution if the target device is performing a Wi-Fi Direct search, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172937525
CVSS 7.5
CVE-2021-0516 NOMISEC CRITICAL WORKING POC
Android - Out-of-bounds Read and Write via Use-After-Free in p2p_process_prov_disc_req
In p2p_process_prov_disc_req of p2p_pd.c, there is a possible out of bounds read and write due to a use after free. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-181660448
CVSS 9.8
CVE-2021-0326 NOMISEC HIGH WRITEUP
Android - Out-of-bounds Write in p2p_copy_client_info
In p2p_copy_client_info of p2p.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution if the target device is performing a Wi-Fi Direct search, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172937525
CVSS 7.5
CVE-2021-0326 NOMISEC HIGH STUB
Android - Out-of-bounds Write in p2p_copy_client_info
In p2p_copy_client_info of p2p.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution if the target device is performing a Wi-Fi Direct search, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172937525
CVSS 7.5
CVE-2021-0326 NOMISEC HIGH WRITEUP
Android - Out-of-bounds Write in p2p_copy_client_info
In p2p_copy_client_info of p2p.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution if the target device is performing a Wi-Fi Direct search, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172937525
CVSS 7.5
CVE-2022-40279 WRITEUP HIGH WRITEUP
Samsung TizenRT through 3.0_GBM - Denial of Service via Unchecked Return Value in l2_packet_receive_timeout
An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). l2_packet_receive_timeout in wpa_supplicant/src/l2_packet/l2_packet_pcap.c has a missing check on the return value of pcap_dispatch, leading to a denial of service (malfunction).
CVSS 7.5