Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon,  2 Nov 2015 17:52:45 -0500 (EST)
From: cve-assign@...re.org
To: j@...fi
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: hostapd/wpa_supplicant - Incomplete WPS and P2P NFC NDEF record payload length validation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://w1.fi/security/2015-5/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt

>> Note: No NFC stack implementation has yet been identified with
>> capability to pass the malformed NDEF record to
>> hostapd/wpa_supplicant. As such, it is not known whether this issue can
>> be triggered in practice.

>> While such validation is likely done in the NFC
>> stack that needs to parse the NFC messages before further processing,
>> hostapd/wpa_supplicant should have (re)confirmed NDEF message validity
>> properly.

> https://w1.fi/cgit/hostap/commit/src/wps/ndef.c?id=df9079e72760ceb7ebe7fb11538200c516bdd886

>> It was possible for the 32-bit record->total_length value to end up
>> wrapping around due to integer overflow if the longer form of payload
>> length field is used and record->payload_length gets a value close to
>> 2^32.

Use CVE-2015-8041 for this integer overflow (with various possible
impacts). The vendor's report is listed under "security advisories" on
the http://w1.fi/security page, and it may be reasonable to interpret
"hostapd/wpa_supplicant should have (re)confirmed NDEF message
validity properly" to mean "hostapd/wpa_supplicant had a vulnerability
because they did not (re)confirm NDEF message validity properly." In
other words, although the issue is not exploitable with any known NFC
implementation, the hostapd/wpa_supplicant design goal was to operate
safely even if validation were missing in an NFC implementation.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWN+iXAAoJEL54rhJi8gl5WPQP/jCEUAEaL41RDQtIr+z8AQ9K
0eCZvwc3aenIJBe77KaU8f77VHbyM3pCatheArzv1KHOEyRvezr5KKscVcYxi6bj
20NnNXpWRTLoxduU0tz/2C6mUNv05VsZaRwFe1nsPHH+yDwMfzcOD6MB5esJ64l6
ZI+SbA6QMEGzq5oflWtIrijLif/YcevYyIlVJyDQjXrnvL/+g/ZfegnWruaJjWaU
CUrkAfHdeXdfk260b1hVoqncPrqIASRm2GQGhR9EzpqNWDZNcF8iGtc8LBUzSlk7
2ZmRaID4Yw57MNlFXPgn+q6scCpGWuDPAXIeJ5uBNcp4V8VVQp3zPmE9KdRzDQ1c
oypYxFfsu0/B7oW/q8nIfuz/UZge+2DZD+etPaN1jG5IpSOJhFCIgiJ8PNl6UlUU
yJNwXAMUy5+xBLULHyBhlsPc6sjJppnzP4YD/vPnzQ0uhKAXXIF/rjfi2fhX0lF7
iGikGwCXqejP4uwqJ7zE/oOh6oEEkSVYN4sqERsHmnhdE5teLMF/XOodv5P8afNX
sPbnrh67/G7PopFTCH6N4wXZrJPbi+YzETI+GXpgu1nEOkC5jtycYqV9lKnTBjQT
e6wxWk0OGdXeettqRZUhB1LTNm7OIoEjBb/+63AEyl8P6z6aqM+xXUQlNLcQHU1m
GDmrNOp6JAhzg1+xMggO
=1n9O
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.