Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 16 Aug 2015 15:19:53 +0200
From: Moritz Muehlenhoff <jmm@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: hostapd/wpa_supplicant - Incomplete WPS and P2P
 NFC NDEF record payload length validation

Hi,
This doesn't seem to have received a CVE assignment, explicitly
adding cve-assign to CC.

Cheers,
        Moritz

On Wed, Jul 08, 2015 at 05:48:53PM +0300, Jouni Malinen wrote:
> Incomplete WPS and P2P NFC NDEF record payload length validation
> 
> Published: July 8, 2015
> The latest version available from: http://w1.fi/security/2015-5/
> 
> 
> Vulnerability
> 
> A vulnerability was found in NDEF record parsing implementation in
> hostapd and wpa_supplicant. This code is used when an NFC Tag or NFC
> connection handover is used to trigger WPS or P2P operations. The parser
> did include bounds checking for the NDEF record payload length, but due
> to insufficient integer size, it was possible to trigger integer
> overflow that would result in bypassing the validation step with some
> malformed NDEF records.
> 
> This could result in denial of service due to hostapd/wpa_supplicant
> process termination (buffer read overflow) or infinite loop. The issue
> can be triggered only if the NFC stack on the device does not perform
> required validation steps for received NFC messages before sending the
> received message to hostapd/wpa_supplicant for processing.
> 
> It was possible for the 32-bit record->total_length value to end up
> wrapping around due to integer overflow if the longer form of payload
> length field is used and record->payload_length gets a value close to
> 2^32. This could result in ndef_parse_record() accepting a too large
> payload length value and the record type filter reading up to about 20
> bytes beyond the end of the buffer and potentially killing the process.
> This could also result in an attempt to allocate close to 2^32 bytes of
> heap memory and if that were to succeed, a buffer read overflow of the
> same length which would most likely result in the process termination.
> In case of record->total_length ending up getting the value 0, there
> would be no buffer read overflow, but record parsing would result in an
> infinite loop in ndef_parse_records().
> 
> Any of these error cases could potentially be used for denial of service
> attacks over NFC by using a malformed NDEF record on an NFC Tag or
> sending them during NFC connection handover if the application providing
> the NDEF message to hostapd/wpa_supplicant did no validation of the
> received NDEF records. While such validation is likely done in the NFC
> stack that needs to parse the NFC messages before further processing,
> hostapd/wpa_supplicant should have (re)confirmed NDEF message validity
> properly.
> 
> 
> Vulnerable versions/configurations
> 
> hostapd v0.7.0-v2.4 with CONFIG_WPS_NFC=y in the build configuration
> (hostapd/.config) and NFC NDEF records passed to hostapd by the NFC
> stack without validation.
> 
> wpa_supplicant v0.7.0-v2.4 with CONFIG_WPS_NFC=y in the build
> configuration (wpa_supplicant/.config) and NFC NDEF records passed to
> wpa_supplicant by the NFC stack without validation.
> 
> Note: No NFC stack implementation has yet been identified with
> capability to pass the malformed NDEF record to
> hostapd/wpa_supplicant. As such, it is not known whether this issue can
> be triggered in practice.
> 
> Alternatively to an actual NFC operation trigger, the malformed NDEF
> records could be provided by other applications running on the same
> device if access to the hostapd/wpa_supplicant control interface is
> available to untrusted components or users.
> 
> 
> Acknowledgments
> 
> Coverity Scan discovered parts of this issue (insecure data
> handling/TAINTED_SCALAR) and was the trigger for further manual review
> of the parsing routine.
> 
> 
> Possible mitigation steps
> 
> - Merge the following commit and rebuild hostapd/wpa_supplicant:
> 
>   NFC: Fix payload length validation in NDEF record parser
> 
>   This patch is available from http://w1.fi/security/2015-5/
> 
> - Update to hostapd/wpa_supplicant v2.5 or newer, once available
> 
> - Remove CONFIG_WPS_NFC=y from build configuration
> 
> - Confirm that the NFC stack does sufficient validation of the received
>   NDEF records before passing them to hostapd/wpa_supplicant
> 
> -- 
> Jouni Malinen                                            PGP id EFC895FA
> 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ