CVE-2011-1042

Vulnerability

A use-after-free vulnerability exists in flimflamd, the network configuration daemon in Google Chrome OS before version 0.9.130.14 Beta, specifically in the handling of hidden (non-broadcast) WiFi networks. When a connection attempt to a hidden network fails (e.g., the network does not respond), the cleanup code prematurely frees the associated network block while references to it remain, leading to use-after-free. The affected code resides in the plugins/newwifi.c file within flimflam. The issue was addressed in a commit (revision 51c10a9) that added proper reference counting and deferred device state updates for unregistered networks. [1][2]

Exploitation

An attacker with knowledge of the target device can cause the device to attempt a connection to a hidden WiFi network that does not respond. This requires user interaction: the user must manually enter the hidden network's name (SSID) in the connection UI. Once the connection attempt times out, the use-after-free triggers a crash of flimflamd. The attack can be easily reproduced by connecting to a non-existent hidden network and waiting for timeout. [1][2]

Impact

Successful exploitation results in a denial of service (DoS) of the flimflamd daemon, disrupting the device's ability to manage network connections. The crash causes the daemon to terminate; depending on system configuration, it may or may not automatically restart. No privilege escalation or data compromise is achieved. The impact is limited to availability, as the attacker can repeatedly cause the daemon to crash. [2]

Mitigation

The vulnerability is fixed in Google Chrome OS version 0.9.130.14 Beta and later. The fix was committed in revision 51c10a9 and is included in that release. Users should update to the latest stable version of Chrome OS. No workarounds are available for older versions. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1]