hostapd: vulnerability was found in EAP-pwd server (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)
A vulnerability was found in EAP-pwd server and peer implementation
used
in hostapd and wpa_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that
the
received frame is long enough to include all the fields. This results
in
buffer read overflow of up to couple of hundred bytes.
The exact result of this buffer overflow depends on the platform and
may
be either not noticeable (i.e., authentication fails due to invalid
data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is
used.
Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself
would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly
step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.
Vulnerable versions/configurations
hostapd v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.
wpa_supplicant v1.0-v2.4 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a
network
profile at runtime.
Acknowledgments
Thanks to Kostya Kortchinsky of Google Security Team for discovering
and
reporting this issue.
Possible mitigation steps
- Merge the following commits and rebuild hostapd/wpa_supplicant:
CVE-2015-4143:
EAP-pwd peer: Fix payload length validation for Commit and Confirm
EAP-pwd server: Fix payload length validation for Commit and Confirm
CVE-2015-4144 (length check) + CVE-2015-4145 (memory leak):
EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
EAP-pwd server: Fix Total-Length parsing for fragment reassembly
CVE-2015-4146:
EAP-pwd peer: Fix asymmetric fragmentation behavior
These patches are available from http://w1.fi/security/2015-4/
- Update to hostapd/wpa_supplicant v2.5 or newer, once available
- Remove CONFIG_EAP_PWD=y from build configuration
- Disable EAP-pwd in runtime configuration
Reference:
http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
http://www.openwall.com/lists/oss-security/2015/05/31/6
(from redmine: issue id 4334, created on 2015-06-15, closed on 2015-06-16)
- Relations:
- child #4335 (closed)
- child #4336 (closed)
- child #4337 (closed)
- child #4338 (closed)