Date: Sat, 9 May 2015 21:22:14 +0300 From: Jouni Malinen <j@...fi> To: oss-security@...ts.openwall.com Subject: Re: CVE request: vulnerability in wpa_supplicant and hostapd > On Thu, May 07, 2015 at 01:58:27PM +0200, Martin Prpic wrote: > > Hi, I don't see a CVE assigned for this anywhere: > > http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt In support of this CVE assignment request for hostapd/wpa_supplicant, here's the full advisory text: EAP-pwd missing payload length validation Published: May 4, 2015 Latest version available from: http://w1.fi/security/2015-4/ Vulnerability A vulnerability was found in EAP-pwd server and peer implementation used in hostapd and wpa_supplicant, respectively. The EAP-pwd/Commit and EAP-pwd/Confirm message payload is processed without verifying that the received frame is long enough to include all the fields. This results in buffer read overflow of up to couple of hundred bytes. The exact result of this buffer overflow depends on the platform and may be either not noticeable (i.e., authentication fails due to invalid data without any additional side effects) or process termination due to the buffer read overflow being detected and stopped. The latter case could potentially result in denial of service when EAP-pwd authentication is used. Further research into this issue found that the fragment reassembly processing is also missing a check for the Total-Length field and this could result in the payload length becoming negative. This itself would not add more to the vulnerability due to the payload length not being verified anyway. However, it is possible that a related reassembly step would result in hitting an internal security check on buffer use and result in the processing being terminated. Vulnerable versions/configurations hostapd v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration (hostapd/.config) and EAP-pwd authentication server enabled in runtime configuration. wpa_supplicant v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network profile at runtime. Acknowledgments Thanks to Kostya Kortchinsky of Google Security Team for discovering and reporting this issue. Possible mitigation steps - Merge the following commits and rebuild hostapd/wpa_supplicant: EAP-pwd peer: Fix payload length validation for Commit and Confirm EAP-pwd server: Fix payload length validation for Commit and Confirm EAP-pwd peer: Fix Total-Length parsing for fragment reassembly EAP-pwd server: Fix Total-Length parsing for fragment reassembly EAP-pwd peer: Fix asymmetric fragmentation behavior These patches are available from http://w1.fi/security/2015-4/ - Update to hostapd/wpa_supplicant v2.5 or newer, once available - Remove CONFIG_EAP_PWD=y from build configuration - Disable EAP-pwd in runtime configuration -- Jouni Malinen PGP id EFC895FA
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.