Date: Sun, 16 Aug 2015 15:19:53 +0200 From: Moritz Muehlenhoff <jmm@...ian.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: hostapd/wpa_supplicant - Incomplete WPS and P2P NFC NDEF record payload length validation Hi, This doesn't seem to have received a CVE assignment, explicitly adding cve-assign to CC. Cheers, Moritz On Wed, Jul 08, 2015 at 05:48:53PM +0300, Jouni Malinen wrote: > Incomplete WPS and P2P NFC NDEF record payload length validation > > Published: July 8, 2015 > The latest version available from: http://w1.fi/security/2015-5/ > > > Vulnerability > > A vulnerability was found in NDEF record parsing implementation in > hostapd and wpa_supplicant. This code is used when an NFC Tag or NFC > connection handover is used to trigger WPS or P2P operations. The parser > did include bounds checking for the NDEF record payload length, but due > to insufficient integer size, it was possible to trigger integer > overflow that would result in bypassing the validation step with some > malformed NDEF records. > > This could result in denial of service due to hostapd/wpa_supplicant > process termination (buffer read overflow) or infinite loop. The issue > can be triggered only if the NFC stack on the device does not perform > required validation steps for received NFC messages before sending the > received message to hostapd/wpa_supplicant for processing. > > It was possible for the 32-bit record->total_length value to end up > wrapping around due to integer overflow if the longer form of payload > length field is used and record->payload_length gets a value close to > 2^32. This could result in ndef_parse_record() accepting a too large > payload length value and the record type filter reading up to about 20 > bytes beyond the end of the buffer and potentially killing the process. > This could also result in an attempt to allocate close to 2^32 bytes of > heap memory and if that were to succeed, a buffer read overflow of the > same length which would most likely result in the process termination. > In case of record->total_length ending up getting the value 0, there > would be no buffer read overflow, but record parsing would result in an > infinite loop in ndef_parse_records(). > > Any of these error cases could potentially be used for denial of service > attacks over NFC by using a malformed NDEF record on an NFC Tag or > sending them during NFC connection handover if the application providing > the NDEF message to hostapd/wpa_supplicant did no validation of the > received NDEF records. While such validation is likely done in the NFC > stack that needs to parse the NFC messages before further processing, > hostapd/wpa_supplicant should have (re)confirmed NDEF message validity > properly. > > > Vulnerable versions/configurations > > hostapd v0.7.0-v2.4 with CONFIG_WPS_NFC=y in the build configuration > (hostapd/.config) and NFC NDEF records passed to hostapd by the NFC > stack without validation. > > wpa_supplicant v0.7.0-v2.4 with CONFIG_WPS_NFC=y in the build > configuration (wpa_supplicant/.config) and NFC NDEF records passed to > wpa_supplicant by the NFC stack without validation. > > Note: No NFC stack implementation has yet been identified with > capability to pass the malformed NDEF record to > hostapd/wpa_supplicant. As such, it is not known whether this issue can > be triggered in practice. > > Alternatively to an actual NFC operation trigger, the malformed NDEF > records could be provided by other applications running on the same > device if access to the hostapd/wpa_supplicant control interface is > available to untrusted components or users. > > > Acknowledgments > > Coverity Scan discovered parts of this issue (insecure data > handling/TAINTED_SCALAR) and was the trigger for further manual review > of the parsing routine. > > > Possible mitigation steps > > - Merge the following commit and rebuild hostapd/wpa_supplicant: > > NFC: Fix payload length validation in NDEF record parser > > This patch is available from http://w1.fi/security/2015-5/ > > - Update to hostapd/wpa_supplicant v2.5 or newer, once available > > - Remove CONFIG_WPS_NFC=y from build configuration > > - Confirm that the NFC stack does sufficient validation of the received > NDEF records before passing them to hostapd/wpa_supplicant > > -- > Jouni Malinen PGP id EFC895FA >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ