EAP-pwd missing last fragment length validation

Jouni Malinen j at w1.fi
Tue Nov 10 09:38:36 PST 2015 

EAP-pwd missing last fragment length validation

Published: November 10, 2015
Identifier: CVE-2015-5314 (hostapd), CVE-2015-5315 (wpa_supplicant)
Latest version available from: http://w1.fi/security/2015-7/


Vulnerability

A vulnerability was found in EAP-pwd server and peer implementation used
in hostapd and wpa_supplicant, respectively. When an incoming EAP-pwd
message is fragmented, the remaining reassembly buffer length was not
checked for the last fragment (but was checked for other
fragments). This allowed a suitably constructed last fragment frame to
try to add extra data that would go beyond the buffer. The length
validation code in wpabuf_put_data() prevents an actual buffer write
overflow from occurring, but this results in process termination.

For hostapd used with an internal EAP server and EAP-pwd enabled in the
runtime configuration, this could allow a denial of service attack by an
attacker within radio range of the AP device.

For hostapd used as a RADIUS server with EAP-pwd enabled in the runtime
configuration, this could allow a denial of service attack by an
attacker within radio range of any AP device that is authorized to use
the RADIUS server.

For wpa_supplicant with EAP-pwd enabled in a network configuration
profile, this could allow a denial of service attack by an attacker
within radio range.


Vulnerable versions/configurations

hostapd v2.0-v2.5 with CONFIG_EAP_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.

wpa_supplicant v2.0-v2.5 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.


Possible mitigation steps

- Merge the following commits and rebuild hostapd/wpa_supplicant:

  EAP-pwd peer: Fix last fragment length validation
  EAP-pwd server: Fix last fragment length validation

  These patches are available from http://w1.fi/security/2015-7/

- Update to hostapd/wpa_supplicant v2.6 or newer, once available

- Remove CONFIG_EAP_PWD=y from build configuration

- Disable EAP-pwd in runtime configuration

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list