Bugzilla – Bug 953115
VUL-0: CVE-2015-5314,CVE-2015-5315, CVE-2015-5316: wpa_supplicant EAP overflows
Last modified: 2018-10-19 12:05:29 UTC
Created attachment 654137 [details] Original message + patch Theres a new bug report from upstream. Its a lengthy text and contains patches inline, so I am only pasting the important part here and attach the whole stuff for the fixes. -----8<----------------- I discovered couple of vulnerabilities in wpa_supplicant and hostapd EAP-pwd implementation which were unfortunately missed in the earlier review. These can result in DoS attack within radio range if EAP-pwd is enabled in runtime configuration (which is not very common choice today). Due to temporal proximity with CVE-2015-5310, I'm grouping publication of these issues with it and as such, request matching embargo period until November 10th. I would like to request two CVE IDs to be assigned for the vulnerability: - 2015-7 EAP-pwd missing last fragment length validation (same issue in both hostapd and wpa_supplicant) - 2015-8 EAP-pwd peer error path failure on unexpected Confirm message (wpa_supplicant) I'm including the current drafts of the security advisories and patches to fix the issues. Please let me know if you have any feedback or questions on these. EAP-pwd missing last fragment length validation Published: November 10, 2015 Identifier: CVE-<to be assigned> Latest version available from: http://w1.fi/security/2015-7/ Vulnerability A vulnerability was found in EAP-pwd server and peer implementation used in hostapd and wpa_supplicant, respectively. When an incoming EAP-pwd message is fragmented, the remaining reassembly buffer length was not checked for the last fragment (but was checked for other fragments). This allowed a suitably constructed last fragment frame to try to add extra data that would go beyond the buffer. The length validation code in wpabuf_put_data() prevents an actual buffer write overflow from occurring, but this results in process termination. For hostapd used with an internal EAP server and EAP-pwd enabled in the runtime configuration, this could allow a denial of service attack by an attacker within radio range of the AP device. For hostapd used as a RADIUS server with EAP-pwd enabled in the runtime configuration, this could allow a denial of service attack by an attacker within radio range of any AP device that is authorized to use the RADIUS server. For wpa_supplicant with EAP-pwd enabled in a network configuration profile, this could allow a denial of service attack by an attacker within radio range. Vulnerable versions/configurations hostapd v1.0-v2.5 with CONFIG_EAP_PWD=y in the build configuration (hostapd/.config) and EAP-pwd authentication server enabled in runtime configuration. wpa_supplicant v1.0-v2.5 with CONFIG_EAP_PWD=y in the build configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network profile at runtime.
CRD: 10 Nov. 2015
code12: # EAP-pwd (secure authentication using only a password) #CONFIG_EAP_PWD=y code11-sp2: CONFIG_EAP_PWD was not found factory,13.1,13.2: see code12
Thx. Then closing as INVALID.
Since EAP PWD is about to be enabled due to bug 1109209 (bsc#1109209), this needs also to be addressed in order to not introduce new bugs.
I don't think we'll enable EAP_PWD in CODE11 now for CODE12, I've submitted a wpa_supplicant that should have this fixed (maintenance request 174729) for CODE15, we had wpa_supplicant 2.6 from the start, which has the fixes already.