Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 548744 (CVE-2015-4143) - <net-wireless/hostapd-2.4-r2: EAP-pwd missing payload length validation (CVE-2015-{4143,4144,4145,4146})
Summary: <net-wireless/hostapd-2.4-r2: EAP-pwd missing payload length validation (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2015-4143
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://w1.fi/security/2015-4/eap-pwd-...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-06 08:21 UTC by Agostino Sarubbo
Modified: 2016-06-27 10:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-06 08:21:44 UTC
From ${URL} :

EAP-pwd missing payload length validation

Published: May 4, 2015
Latest version available from: http://w1.fi/security/2015-4/


Vulnerability

A vulnerability was found in EAP-pwd server and peer implementation used
in hostapd and wpa_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that the
received frame is long enough to include all the fields. This results in
buffer read overflow of up to couple of hundred bytes.

The exact result of this buffer overflow depends on the platform and may
be either not noticeable (i.e., authentication fails due to invalid data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is
used.

Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.


Vulnerable versions/configurations

hostapd v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.

wpa_supplicant v1.0-v2.4 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.


Acknowledgments

Thanks to Kostya Kortchinsky of Google Security Team for discovering and
reporting this issue.


Possible mitigation steps

- Merge the following commits and rebuild hostapd/wpa_supplicant:

  EAP-pwd peer: Fix payload length validation for Commit and Confirm
  EAP-pwd server: Fix payload length validation for Commit and Confirm
  EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  EAP-pwd peer: Fix asymmetric fragmentation behavior

  These patches are available from http://w1.fi/security/2015-4/

- Update to hostapd/wpa_supplicant v2.5 or newer, once available

- Remove CONFIG_EAP_PWD=y from build configuration

- Disable EAP-pwd in runtime configuration


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-05-08 18:15:16 UTC
Bumped to 2.4-r2, which has these patches.

Security team - please mark for stabilization if you want.
Comment 2 Alexander Tsoy 2015-05-08 18:28:08 UTC
Guys, there are another two vulnerabilities published at the same time (May 4, 2015):
http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt
http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt

Can you handle them in this bug report? Or should I open separate bugs for them?
Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-05-11 14:51:36 UTC
I have added them to -r3 - security, please stabilize that version instead.
-r2 has been removed from the tree.
Comment 4 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-05-11 14:54:51 UTC
Mixed them up - -r1 has been removed, and -r2 has been added.

Please stabilize -r2
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2015-05-11 20:36:36 UTC
Arches, please test and mark stable:

=net-wireless/hostapd-2.4-r2

Target Keywords : "amd64 ppc x86"

Thank you!
Comment 6 Pacho Ramos gentoo-dev 2015-05-15 11:19:27 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-05-18 08:46:18 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-05-19 07:26:52 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 9 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-05-20 11:07:45 UTC
Done, the old version has been removed :-)
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2015-05-20 12:41:53 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-07-05 21:31:19 UTC
CVE-2015-4146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4146):
  The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through
  2.4 does not clear the L (Length) and M (More) flags before determining if a
  response should be fragmented, which allows remote attackers to cause a
  denial of service (crash) via a crafted message.

CVE-2015-4145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4145):
  The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0
  through 2.4 does not validate a fragment is already being processed, which
  allows remote attackers to cause a denial of service (memory leak) via a
  crafted message.

CVE-2015-4144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4144):
  The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0
  through 2.4 does not validate that a message is long enough to contain the
  Total-Length field, which allows remote attackers to cause a denial of
  service (crash) via a crafted message.

CVE-2015-4143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4143):
  The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0
  through 2.4 allows remote attackers to cause a denial of service
  (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm
  message payload.
Comment 12 Alexander Tsoy 2015-10-28 03:00:58 UTC
Security, you forgot about CVE-2015-{4141,4142}
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-06-27 10:36:01 UTC
This issue was resolved and addressed in
 GLSA 201606-17 at https://security.gentoo.org/glsa/201606-17
by GLSA coordinator Aaron Bauman (b-man).