From ${URL} : EAP-pwd missing payload length validation Published: May 4, 2015 Latest version available from: http://w1.fi/security/2015-4/ Vulnerability A vulnerability was found in EAP-pwd server and peer implementation used in hostapd and wpa_supplicant, respectively. The EAP-pwd/Commit and EAP-pwd/Confirm message payload is processed without verifying that the received frame is long enough to include all the fields. This results in buffer read overflow of up to couple of hundred bytes. The exact result of this buffer overflow depends on the platform and may be either not noticeable (i.e., authentication fails due to invalid data without any additional side effects) or process termination due to the buffer read overflow being detected and stopped. The latter case could potentially result in denial of service when EAP-pwd authentication is used. Further research into this issue found that the fragment reassembly processing is also missing a check for the Total-Length field and this could result in the payload length becoming negative. This itself would not add more to the vulnerability due to the payload length not being verified anyway. However, it is possible that a related reassembly step would result in hitting an internal security check on buffer use and result in the processing being terminated. Vulnerable versions/configurations hostapd v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration (hostapd/.config) and EAP-pwd authentication server enabled in runtime configuration. wpa_supplicant v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network profile at runtime. Acknowledgments Thanks to Kostya Kortchinsky of Google Security Team for discovering and reporting this issue. Possible mitigation steps - Merge the following commits and rebuild hostapd/wpa_supplicant: EAP-pwd peer: Fix payload length validation for Commit and Confirm EAP-pwd server: Fix payload length validation for Commit and Confirm EAP-pwd peer: Fix Total-Length parsing for fragment reassembly EAP-pwd server: Fix Total-Length parsing for fragment reassembly EAP-pwd peer: Fix asymmetric fragmentation behavior These patches are available from http://w1.fi/security/2015-4/ - Update to hostapd/wpa_supplicant v2.5 or newer, once available - Remove CONFIG_EAP_PWD=y from build configuration - Disable EAP-pwd in runtime configuration @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Bumped to 2.4-r2, which has these patches. Security team - please mark for stabilization if you want.
There are another two vulnerabilities published at the same time (May 4, 2015): http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt Can you handle them in this bug report? Or should I open separate bugs for them?
I have added them to -r3 - security, please stabilize that version instead. -r2 has been removed from the tree.
amd64 stable
ppc stable
Stable for PPC64.
arm stable
It works on x86 for me, so I'm marking it as stable there too, since it looks like x86 was forgotten, and I see no reason to wait even longer to have them see it, test it and stabilize it. All archs stable, so removing old version.
CVE Requested May 26 - http://seclists.org/oss-sec/2015/q2/569
Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request.
(In reply to Yury German from comment #9) > CVE Requested May 26 - http://seclists.org/oss-sec/2015/q2/569 CVEs also requested for other vulnerabiliries fixed in 2.4-r3: http://seclists.org/oss-sec/2015/q2/396 http://seclists.org/oss-sec/2015/q2/397
CVE-2015-4146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4146): The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not clear the L (Length) and M (More) flags before determining if a response should be fragmented, which allows remote attackers to cause a denial of service (crash) via a crafted message. CVE-2015-4145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4145): The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of service (memory leak) via a crafted message. CVE-2015-4144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4144): The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate that a message is long enough to contain the Total-Length field, which allows remote attackers to cause a denial of service (crash) via a crafted message. CVE-2015-4143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4143): The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm message payload. CVE-2015-4142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4142): Integer underflow in the WMM Action frame parser in hostapd 0.5.5 through 2.4 and wpa_supplicant 0.7.0 through 2.4, when used for AP mode MLME/SME functionality, allows remote attackers to cause a denial of service (crash) via a crafted frame, which triggers an out-of-bounds read. CVE-2015-4141 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4141): The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant, when using WPS external registrar (ER), 0.7.0 through 2.4 allows remote attackers to cause a denial of service (crash) via a negative chunk length, which triggers an out-of-bounds read or heap-based buffer overflow.
Why is "(CVE - Pending)" in the summary?
This issue was resolved and addressed in GLSA 201606-17 at https://security.gentoo.org/glsa/201606-17 by GLSA coordinator Aaron Bauman (b-man).