Bug 927558 (CVE-2015-1863) - VUL-0: CVE-2015-1863: wpa_supplicant: P2P vulnerability
Summary: VUL-0: CVE-2015-1863: wpa_supplicant: P2P vulnerability
Status: RESOLVED FIXED
Alias: CVE-2015-1863
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2015-1863:3.2:(AV:A/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-17 08:31 UTC by Marcus Meissner
Modified: 2022-02-13 11:07 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2015-04-17 08:33:53 UTC 
CVE-2015-1863
Comment 3 Swamp Workflow Management 2015-04-17 22:00:24 UTC 
bugbot adjusting priority
Comment 4 Ruediger Oertel 2015-04-19 23:42:57 UTC 
code10: no p2p code
code11: no p2p code
Comment 5 Ruediger Oertel 2015-04-19 23:52:34 UTC 
submitted to SUSE:Maintenance as rq 55668
this also includes the fixes still pending from  SUSE:Maintenance:453,
please tell me if these should be excluded
Comment 6 Ruediger Oertel 2015-04-19 23:57:28 UTC 
13.1/13.2 submits are ready in /mounts/work_users/ro/OBS/home:oertel:branches:OBS_Maintained:wpa_supplicant,
but not checked in yet, please tell me when to check these in.
Comment 8 Marcus Meissner 2015-04-21 13:25:02 UTC 
yes, we will. please hold :)
Comment 9 Thomas Biege 2015-04-23 19:57:21 UTC 
It is public now.
Comment 10 Ruediger Oertel 2015-04-23 22:03:00 UTC 
created request id Request: #299041
created request id Request: #299042
Comment 11 Ruediger Oertel 2015-04-23 22:03:37 UTC 
all submitted, closing here.
Comment 12 Bernhard Wiedemann 2015-04-23 23:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (927558) was mentioned in
https://build.opensuse.org/request/show/299041 13.1 / wpa_supplicant
https://build.opensuse.org/request/show/299042 13.2 / wpa_supplicant
Comment 14 Swamp Workflow Management 2015-05-01 13:04:55 UTC 
openSUSE-SU-2015:0813-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 927558
CVE References: CVE-2015-1863
Sources used:
openSUSE 13.2 (src):    wpa_supplicant-2.2-5.4.1
openSUSE 13.1 (src):    wpa_supplicant-2.0-3.11.1
Comment 15 Andreas Stieger 2015-05-07 14:14:40 UTC 
public at http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt

wpa_supplicant P2P SSID processing vulnerability

Published: April 22, 2015
Identifier: CVE-2015-1863
Latest version available from: http://w1.fi/security/2015-1/


Vulnerability

A vulnerability was found in how wpa_supplicant uses SSID information
parsed from management frames that create or update P2P peer entries
(e.g., Probe Response frame or number of P2P Public Action frames). SSID
field has valid length range of 0-32 octets. However, it is transmitted
in an element that has a 8-bit length field and potential maximum
payload length of 255 octets. wpa_supplicant was not sufficiently
verifying the payload length on one of the code paths using the SSID
received from a peer device.

This can result in copying arbitrary data from an attacker to a fixed
length buffer of 32 bytes (i.e., a possible overflow of up to 223
bytes). The SSID buffer is within struct p2p_device that is allocated
from heap. The overflow can override couple of variables in the struct,
including a pointer that gets freed. In addition about 150 bytes (the
exact length depending on architecture) can be written beyond the end of
the heap allocation.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to wpa_supplicant process crash, exposure of memory contents during
GO Negotiation, and potentially arbitrary code execution.

Vulnerable versions/configurations

wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled

Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a suitably constructed
management frame that triggers a P2P peer device information to be
created or updated.

The vulnerability is easiest to exploit while the device has started an
active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
interface command in progress). However, it may be possible, though
significantly more difficult, to trigger this even without any active
P2P operation in progress.


Acknowledgments

Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.


Possible mitigation steps

- Merge the following commits to wpa_supplicant and rebuild it:

  P2P: Validate SSID element length before copying it (CVE-2015-1863)

  This patch is available from http://w1.fi/security/2015-1/

- Update to wpa_supplicant v2.5 or newer, once available

- Disable P2P (control interface command "P2P_SET disabled 1" or
  "p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant
  configuration file)

- Disable P2P from the build (remove CONFIG_P2P=y)
Comment 16 Swamp Workflow Management 2015-06-09 08:05:37 UTC 
SUSE-SU-2015:1013-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 900611,915323,927558
CVE References: CVE-2014-3686,CVE-2015-0210,CVE-2015-1863
Sources used:
SUSE Linux Enterprise Server 12 (src):    wpa_supplicant-2.2-8.1
SUSE Linux Enterprise Desktop 12 (src):    wpa_supplicant-2.2-8.1
Comment 17 Johannes Segitz 2017-08-04 11:04:29 UTC 
fixed