Bugzilla – Bug 930078
VUL-0: CVE-2015-4142: wpa_supplicant: Integer underflow in AP mode WMM Action frame processing
Last modified: 2020-11-27 11:18:48 UTC
Created attachment 633610 [details] advisory patch From http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt Integer underflow in AP mode WMM Action frame processing Published: May 4, 2015 Latest version available from: http://w1.fi/security/2015-3/ Vulnerability A vulnerability was found in WMM Action frame processing in a case where hostapd or wpa_supplicant is used to implement AP mode MLME/SME functionality (i.e., Host AP driver of a mac80211-based driver on Linux). The AP mode WMM Action frame parser in hostapd/wpa_supplicant goes through the variable length information element part with the length of this area calculated by removing the header length from the total length of the frame. The frame length is previously verified to be large enough to include the IEEE 802.11 header, but the couple of additional bytes after this header are not explicitly verified and as a result of this, there may be an integer underflow that results in the signed integer variable storing the length becoming negative. This negative value is then interpreted as a very large unsigned integer length when parsing the information elements. This results in a buffer read overflow and process termination. This vulnerability can be used to perform denial of service attacks by an attacker that is within radio range of the AP that uses hostapd of wpa_supplicant for MLME/SME operations. Vulnerable versions/configurations hostapd v0.5.5-v2.4 with CONFIG_DRIVER_HOSTAP=y or CONFIG_DRIVER_NL80211=y in the build configuration (hostapd/.config). wpa_supplicant v0.7.0-v2.4 with CONFIG_AP=y or CONFIG_P2P=y and CONFIG_DRIVER_HOSTAP=y or CONFIG_DRIVER_NL80211=y in the build configuration (wpa_supplicant/.config) and AP (including P2P GO) mode used at runtime. Acknowledgments Thanks to Kostya Kortchinsky of Google Security Team for discovering and reporting this issue. Possible mitigation steps - Merge the following commit and rebuild hostapd/wpa_supplicant: AP WMM: Fix integer underflow in WMM Action frame parser This patch is available from http://w1.fi/security/2015-3/ - Update to hostapd/wpa_supplicant v2.5 or newer, once available - wpa_supplicant: Do not enable AP mode or P2P GO operation at runtime
sle11-sp2 submitted
created request id 57202 (target SUSE:Maintenance:453)
bugbot adjusting priority
mr 13.1: created request id Request: #305846 mr 13.2: created request id Request: #305847
created request id 305848 (for devel project hardware for factory)
This is an autogenerated message for OBS integration: This bug (930078) was mentioned in https://build.opensuse.org/request/show/305846 13.1 / wpa_supplicant https://build.opensuse.org/request/show/305847 13.2 / wpa_supplicant
CVE-2015-4142 was assigned to this issue.
openSUSE-SU-2015:1030-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143 Sources used: openSUSE 13.2 (src): wpa_supplicant-2.2-5.7.1 openSUSE 13.1 (src): wpa_supplicant-2.0-3.14.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-07-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62176
This is an autogenerated message for OBS integration: This bug (930078) was mentioned in https://build.opensuse.org/request/show/345591 Factory / hostapd
SUSE-SU-2015:2221-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 930077,930078 CVE References: CVE-2015-4141,CVE-2015-4142 Sources used: SUSE Linux Enterprise Server for VMWare 11-SP3 (src): wpa_supplicant-0.7.1-6.17.4 SUSE Linux Enterprise Server 11-SP4 (src): wpa_supplicant-0.7.1-6.17.4 SUSE Linux Enterprise Server 11-SP3 (src): wpa_supplicant-0.7.1-6.17.4 SUSE Linux Enterprise Desktop 11-SP4 (src): wpa_supplicant-0.7.1-6.17.4 SUSE Linux Enterprise Desktop 11-SP3 (src): wpa_supplicant-0.7.1-6.17.4
SUSE-SU-2016:2305-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 930077,930078,930079,937419,952254 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-5310,CVE-2015-8041 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): wpa_supplicant-2.2-14.2 SUSE Linux Enterprise Desktop 12-SP1 (src): wpa_supplicant-2.2-14.2
openSUSE-SU-2016:2357-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 930077,930078,930079,937419,952254 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-5310,CVE-2015-8041 Sources used: openSUSE Leap 42.1 (src): wpa_supplicant-2.2-8.1
fixed
openSUSE-SU-2017:2896-1: An update that fixes 14 vulnerabilities is now available. Category: security (important) Bug References: 1063479,930077,930078,930079 CVE References: CVE-2015-1863,CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-4144,CVE-2015-4145,CVE-2015-5314,CVE-2016-4476,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13087,CVE-2017-13088 Sources used: openSUSE Leap 42.3 (src): hostapd-2.6-8.1 openSUSE Leap 42.2 (src): hostapd-2.6-5.3.1
SUSE-SU-2020:3380-1: An update that fixes 22 vulnerabilities, contains one feature is now available. Category: security (moderate) Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499 JIRA References: SLE-14992 Sources used: SUSE Linux Enterprise Server for SAP 15 (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise Server 15-LTSS (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): wpa_supplicant-2.9-4.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:2053-1: An update that fixes 22 vulnerabilities is now available. Category: security (moderate) Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499 JIRA References: Sources used: openSUSE Leap 15.1 (src): wpa_supplicant-2.9-lp151.5.10.1
openSUSE-SU-2020:2059-1: An update that fixes 22 vulnerabilities is now available. Category: security (moderate) Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499 JIRA References: Sources used: openSUSE Leap 15.2 (src): wpa_supplicant-2.9-lp152.8.3.1