EAP-pwd missing payload length validation

Jouni Malinen j
Mon May 4 01:34:27 PDT 2015 

Published: May 4, 2015
Latest version available from: http://w1.fi/security/2015-4/


Vulnerability

A vulnerability was found in EAP-pwd server and peer implementation used
in hostapd and wpa_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that the
received frame is long enough to include all the fields. This results in
buffer read overflow of up to couple of hundred bytes.

The exact result of this buffer overflow depends on the platform and may
be either not noticeable (i.e., authentication fails due to invalid data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is
used.

Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.


Vulnerable versions/configurations

hostapd v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.

wpa_supplicant v1.0-v2.4 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.


Acknowledgments

Thanks to Kostya Kortchinsky of Google Security Team for discovering and
reporting this issue.


Possible mitigation steps

- Merge the following commits and rebuild hostapd/wpa_supplicant:

  EAP-pwd peer: Fix payload length validation for Commit and Confirm
  EAP-pwd server: Fix payload length validation for Commit and Confirm
  EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  EAP-pwd peer: Fix asymmetric fragmentation behavior

  These patches are available from http://w1.fi/security/2015-4/

- Update to hostapd/wpa_supplicant v2.5 or newer, once available

- Remove CONFIG_EAP_PWD=y from build configuration

- Disable EAP-pwd in runtime configuration

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list