Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 548742 - <net-wireless/wpa_supplicant-2.4-r3: EAP-pwd missing payload length validation (CVE - Pending) (CVE-2015-{4141,4142,4143,4144,4145,4146})
Summary: <net-wireless/wpa_supplicant-2.4-r3: EAP-pwd missing payload length validatio...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://w1.fi/security/2015-4/eap-pwd-...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-06 08:21 UTC by Agostino Sarubbo
Modified: 2016-06-27 10:35 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-06 08:21:09 UTC
From ${URL} :

EAP-pwd missing payload length validation

Published: May 4, 2015
Latest version available from: http://w1.fi/security/2015-4/


Vulnerability

A vulnerability was found in EAP-pwd server and peer implementation used
in hostapd and wpa_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that the
received frame is long enough to include all the fields. This results in
buffer read overflow of up to couple of hundred bytes.

The exact result of this buffer overflow depends on the platform and may
be either not noticeable (i.e., authentication fails due to invalid data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is
used.

Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.


Vulnerable versions/configurations

hostapd v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.

wpa_supplicant v1.0-v2.4 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.


Acknowledgments

Thanks to Kostya Kortchinsky of Google Security Team for discovering and
reporting this issue.


Possible mitigation steps

- Merge the following commits and rebuild hostapd/wpa_supplicant:

  EAP-pwd peer: Fix payload length validation for Commit and Confirm
  EAP-pwd server: Fix payload length validation for Commit and Confirm
  EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  EAP-pwd peer: Fix asymmetric fragmentation behavior

  These patches are available from http://w1.fi/security/2015-4/

- Update to hostapd/wpa_supplicant v2.5 or newer, once available

- Remove CONFIG_EAP_PWD=y from build configuration

- Disable EAP-pwd in runtime configuration


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-05-08 17:59:01 UTC
Bumped to 2.4-r2, which has these patches.

Security team - please mark for stabilization if you want.
Comment 2 Alexander Tsoy 2015-05-08 18:29:44 UTC
There are another two vulnerabilities published at the same time (May 4, 2015):
http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt
http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt

Can you handle them in this bug report? Or should I open separate bugs for them?
Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-05-11 14:54:57 UTC
I have added them to -r3 - security, please stabilize that version instead.
-r2 has been removed from the tree.
Comment 4 Agostino Sarubbo gentoo-dev 2015-05-12 08:42:04 UTC
amd64 stable
Comment 5 Pacho Ramos gentoo-dev 2015-05-15 10:44:05 UTC
ppc stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-16 04:04:45 UTC
Stable for PPC64.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-05-27 12:32:16 UTC
arm stable
Comment 8 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-05-28 08:10:01 UTC
It works on x86 for me, so I'm marking it as stable there too, since it looks like x86 was forgotten, and I see no reason to wait even longer to have them see it, test it and stabilize it.

All archs stable, so removing old version.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2015-05-28 17:00:04 UTC
CVE Requested May 26 - http://seclists.org/oss-sec/2015/q2/569
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-05-28 17:02:39 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 11 Alexander Tsoy 2015-05-28 17:34:10 UTC
(In reply to Yury German from comment #9)
> CVE Requested May 26 - http://seclists.org/oss-sec/2015/q2/569
CVEs also requested for other vulnerabiliries fixed in 2.4-r3:
http://seclists.org/oss-sec/2015/q2/396
http://seclists.org/oss-sec/2015/q2/397
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-06-20 12:54:10 UTC
CVE-2015-4146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4146):
  The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through
  2.4 does not clear the L (Length) and M (More) flags before determining if a
  response should be fragmented, which allows remote attackers to cause a
  denial of service (crash) via a crafted message.

CVE-2015-4145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4145):
  The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0
  through 2.4 does not validate a fragment is already being processed, which
  allows remote attackers to cause a denial of service (memory leak) via a
  crafted message.

CVE-2015-4144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4144):
  The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0
  through 2.4 does not validate that a message is long enough to contain the
  Total-Length field, which allows remote attackers to cause a denial of
  service (crash) via a crafted message.

CVE-2015-4143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4143):
  The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0
  through 2.4 allows remote attackers to cause a denial of service
  (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm
  message payload.

CVE-2015-4142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4142):
  Integer underflow in the WMM Action frame parser in hostapd 0.5.5 through
  2.4 and wpa_supplicant 0.7.0 through 2.4, when used for AP mode MLME/SME
  functionality, allows remote attackers to cause a denial of service (crash)
  via a crafted frame, which triggers an out-of-bounds read.

CVE-2015-4141 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4141):
  The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant,
  when using WPS external registrar (ER), 0.7.0 through 2.4 allows remote
  attackers to cause a denial of service (crash) via a negative chunk length,
  which triggers an out-of-bounds read or heap-based buffer overflow.
Comment 13 Alexander Tsoy 2015-10-28 02:56:56 UTC
Why is "(CVE - Pending)" in the summary?
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-06-27 10:35:53 UTC
This issue was resolved and addressed in
 GLSA 201606-17 at https://security.gentoo.org/glsa/201606-17
by GLSA coordinator Aaron Bauman (b-man).