EAP-pwd missing last fragment length validation Published: November 10, 2015 Identifier: CVE-2015-5314 (hostapd), CVE-2015-5315 (wpa_supplicant) Latest version available from: http://w1.fi/security/2015-7/ Vulnerability A vulnerability was found in EAP-pwd server and peer implementation used in hostapd and wpa_supplicant, respectively. When an incoming EAP-pwd message is fragmented, the remaining reassembly buffer length was not checked for the last fragment (but was checked for other fragments). This allowed a suitably constructed last fragment frame to try to add extra data that would go beyond the buffer. The length validation code in wpabuf_put_data() prevents an actual buffer write overflow from occurring, but this results in process termination. For hostapd used with an internal EAP server and EAP-pwd enabled in the runtime configuration, this could allow a denial of service attack by an attacker within radio range of the AP device. For hostapd used as a RADIUS server with EAP-pwd enabled in the runtime configuration, this could allow a denial of service attack by an attacker within radio range of any AP device that is authorized to use the RADIUS server. For wpa_supplicant with EAP-pwd enabled in a network configuration profile, this could allow a denial of service attack by an attacker within radio range. Vulnerable versions/configurations hostapd v2.0-v2.5 with CONFIG_EAP_PWD=y in the build configuration (hostapd/.config) and EAP-pwd authentication server enabled in runtime configuration. wpa_supplicant v2.0-v2.5 with CONFIG_EAP_PWD=y in the build configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network profile at runtime. Possible mitigation steps - Merge the following commits and rebuild hostapd/wpa_supplicant: EAP-pwd peer: Fix last fragment length validation EAP-pwd server: Fix last fragment length validation These patches are available from http://w1.fi/security/2015-7/ - Update to hostapd/wpa_supplicant v2.6 or newer, once available - Remove CONFIG_EAP_PWD=y from build configuration - Disable EAP-pwd in runtime configuration -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap