Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 9 May 2015 21:22:14 +0300
From: Jouni Malinen <>
Subject: Re: CVE request: vulnerability in wpa_supplicant and

> On Thu, May 07, 2015 at 01:58:27PM +0200, Martin Prpic wrote:
> > Hi, I don't see a CVE assigned for this anywhere:
> >

In support of this CVE assignment request for hostapd/wpa_supplicant,
here's the full advisory text:

EAP-pwd missing payload length validation

Published: May 4, 2015
Latest version available from:


A vulnerability was found in EAP-pwd server and peer implementation used
in hostapd and wpa_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that the
received frame is long enough to include all the fields. This results in
buffer read overflow of up to couple of hundred bytes.

The exact result of this buffer overflow depends on the platform and may
be either not noticeable (i.e., authentication fails due to invalid data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is

Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.

Vulnerable versions/configurations

hostapd v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime

wpa_supplicant v1.0-v2.4 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.


Thanks to Kostya Kortchinsky of Google Security Team for discovering and
reporting this issue.

Possible mitigation steps

- Merge the following commits and rebuild hostapd/wpa_supplicant:

  EAP-pwd peer: Fix payload length validation for Commit and Confirm
  EAP-pwd server: Fix payload length validation for Commit and Confirm
  EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  EAP-pwd peer: Fix asymmetric fragmentation behavior

  These patches are available from

- Update to hostapd/wpa_supplicant v2.5 or newer, once available

- Remove CONFIG_EAP_PWD=y from build configuration

- Disable EAP-pwd in runtime configuration

Jouni Malinen                                            PGP id EFC895FA

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.