EAP-pwd peer error path failure on unexpected Confirm message
Jouni Malinen
j at w1.fi
Tue Nov 10 09:39:29 PST 2015
EAP-pwd peer error path failure on unexpected Confirm message
Published: November 10, 2015
Identifier: CVE-2015-5316
Latest version available from: http://w1.fi/security/2015-8/
Vulnerability
A vulnerability was found in EAP-pwd peer implementation used in
wpa_supplicant. If an EAP-pwd Confirm message is received unexpectedly
before the Identity exchange, the error path processing ended up
dereferencing a NULL pointer and terminating the process.
For wpa_supplicant with EAP-pwd enabled in a network configuration
profile, this could allow a denial of service attack by an attacker
within radio range.
Vulnerable versions/configurations
wpa_supplicant v2.3-v2.5 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.
Possible mitigation steps
- Merge the following commits and rebuild wpa_supplicant:
EAP-pwd peer: Fix error path for unexpected Confirm message
This patch is available from http://w1.fi/security/2015-8/
- Update to wpa_supplicant v2.6 or newer, once available
- Remove CONFIG_EAP_PWD=y from build configuration
- Disable EAP-pwd in runtime configuration
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list