EAP-pwd message reassembly issue with unexpected fragment

Jouni Malinen j at w1.fi
Thu Apr 18 08:58:30 PDT 2019

Published: April 18, 2019
Latest version available from: https://w1.fi/security/2019-5/


EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP
peer) was discovered not to validate fragmentation reassembly state
properly for a case where an unexpected fragment could be received. This
could result in process termination due to NULL pointer dereference.

An attacker in radio range of a station device with wpa_supplicant
network profile enabling use of EAP-pwd could cause the wpa_supplicant
process to terminate by constructing unexpected sequence of EAP
messages. An attacker in radio range of an access point that points to
hostapd as an authentication server with EAP-pwd user enabled in runtime
configuration (or in non-WLAN uses of EAP authentication as long as the
attacker can send EAP-pwd messages to the server) could cause the
hostapd process to terminate by constructing unexpected sequence of EAP

Vulnerable versions/configurations

All hostapd and wpa_supplicant versions with EAP-pwd support
(CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
in the runtime configuration) are vulnerable against the process
termination (denial of service) attack.

Possible mitigation steps

- Merge the following commits to wpa_supplicant/hostapd and rebuild:

  EAP-pwd peer: Fix reassembly buffer handling
  EAP-pwd server: Fix reassembly buffer handling

  These patches are available from https://w1.fi/security/2019-5/

- Update to wpa_supplicant/hostapd v2.8 or newer, once available

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list