Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 9 May 2015 21:20:36 +0300
From: Jouni Malinen <j@...fi>
To: oss-security@...ts.openwall.com
Subject: CVE request: hostapd/wpa_supplicant - Integer underflow in AP mode
 WMM Action frame processing

Could a CVE please be assigned for following?


Integer underflow in AP mode WMM Action frame processing

Published: May 4, 2015
Latest version available from: http://w1.fi/security/2015-3/


Vulnerability

A vulnerability was found in WMM Action frame processing in a case where
hostapd or wpa_supplicant is used to implement AP mode MLME/SME
functionality (i.e., Host AP driver of a mac80211-based driver on
Linux).

The AP mode WMM Action frame parser in hostapd/wpa_supplicant goes
through the variable length information element part with the length of
this area calculated by removing the header length from the total length
of the frame. The frame length is previously verified to be large enough
to include the IEEE 802.11 header, but the couple of additional bytes
after this header are not explicitly verified and as a result of this,
there may be an integer underflow that results in the signed integer
variable storing the length becoming negative. This negative value is
then interpreted as a very large unsigned integer length when parsing
the information elements. This results in a buffer read overflow and
process termination.

This vulnerability can be used to perform denial of service attacks by
an attacker that is within radio range of the AP that uses hostapd of
wpa_supplicant for MLME/SME operations.


Vulnerable versions/configurations

hostapd v0.5.5-v2.4 with CONFIG_DRIVER_HOSTAP=y or
CONFIG_DRIVER_NL80211=y in the build configuration (hostapd/.config).

wpa_supplicant v0.7.0-v2.4 with CONFIG_AP=y or CONFIG_P2P=y and
CONFIG_DRIVER_HOSTAP=y or CONFIG_DRIVER_NL80211=y in the build
configuration (wpa_supplicant/.config) and AP (including P2P GO) mode
used at runtime.


Acknowledgments

Thanks to Kostya Kortchinsky of Google Security Team for discovering and
reporting this issue.


Possible mitigation steps

- Merge the following commit and rebuild hostapd/wpa_supplicant:

  AP WMM: Fix integer underflow in WMM Action frame parser

  This patch is available from http://w1.fi/security/2015-3/

- Update to hostapd/wpa_supplicant v2.5 or newer, once available

- wpa_supplicant: Do not enable AP mode or P2P GO operation at runtime

-- 
Jouni Malinen                                            PGP id EFC895FA

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.