Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon,  2 Nov 2015 17:52:45 -0500 (EST)
From: cve-assign@...re.org
To: j@...fi
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: hostapd/wpa_supplicant - Incomplete WPS and P2P NFC NDEF record payload length validation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://w1.fi/security/2015-5/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt

>> Note: No NFC stack implementation has yet been identified with
>> capability to pass the malformed NDEF record to
>> hostapd/wpa_supplicant. As such, it is not known whether this issue can
>> be triggered in practice.

>> While such validation is likely done in the NFC
>> stack that needs to parse the NFC messages before further processing,
>> hostapd/wpa_supplicant should have (re)confirmed NDEF message validity
>> properly.

> https://w1.fi/cgit/hostap/commit/src/wps/ndef.c?id=df9079e72760ceb7ebe7fb11538200c516bdd886

>> It was possible for the 32-bit record->total_length value to end up
>> wrapping around due to integer overflow if the longer form of payload
>> length field is used and record->payload_length gets a value close to
>> 2^32.

Use CVE-2015-8041 for this integer overflow (with various possible
impacts). The vendor's report is listed under "security advisories" on
the http://w1.fi/security page, and it may be reasonable to interpret
"hostapd/wpa_supplicant should have (re)confirmed NDEF message
validity properly" to mean "hostapd/wpa_supplicant had a vulnerability
because they did not (re)confirm NDEF message validity properly." In
other words, although the issue is not exploitable with any known NFC
implementation, the hostapd/wpa_supplicant design goal was to operate
safely even if validation were missing in an NFC implementation.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWN+iXAAoJEL54rhJi8gl5WPQP/jCEUAEaL41RDQtIr+z8AQ9K
0eCZvwc3aenIJBe77KaU8f77VHbyM3pCatheArzv1KHOEyRvezr5KKscVcYxi6bj
20NnNXpWRTLoxduU0tz/2C6mUNv05VsZaRwFe1nsPHH+yDwMfzcOD6MB5esJ64l6
ZI+SbA6QMEGzq5oflWtIrijLif/YcevYyIlVJyDQjXrnvL/+g/ZfegnWruaJjWaU
CUrkAfHdeXdfk260b1hVoqncPrqIASRm2GQGhR9EzpqNWDZNcF8iGtc8LBUzSlk7
2ZmRaID4Yw57MNlFXPgn+q6scCpGWuDPAXIeJ5uBNcp4V8VVQp3zPmE9KdRzDQ1c
oypYxFfsu0/B7oW/q8nIfuz/UZge+2DZD+etPaN1jG5IpSOJhFCIgiJ8PNl6UlUU
yJNwXAMUy5+xBLULHyBhlsPc6sjJppnzP4YD/vPnzQ0uhKAXXIF/rjfi2fhX0lF7
iGikGwCXqejP4uwqJ7zE/oOh6oEEkSVYN4sqERsHmnhdE5teLMF/XOodv5P8afNX
sPbnrh67/G7PopFTCH6N4wXZrJPbi+YzETI+GXpgu1nEOkC5jtycYqV9lKnTBjQT
e6wxWk0OGdXeettqRZUhB1LTNm7OIoEjBb/+63AEyl8P6z6aqM+xXUQlNLcQHU1m
GDmrNOp6JAhzg1+xMggO
=1n9O
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ