EAP-pwd peer error path failure on unexpected Confirm message Published: November 10, 2015 Identifier: CVE-2015-5316 Latest version available from: http://w1.fi/security/2015-8/ Vulnerability A vulnerability was found in EAP-pwd peer implementation used in wpa_supplicant. If an EAP-pwd Confirm message is received unexpectedly before the Identity exchange, the error path processing ended up dereferencing a NULL pointer and terminating the process. For wpa_supplicant with EAP-pwd enabled in a network configuration profile, this could allow a denial of service attack by an attacker within radio range. Vulnerable versions/configurations wpa_supplicant v2.3-v2.5 with CONFIG_EAP_PWD=y in the build configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network profile at runtime. Possible mitigation steps - Merge the following commits and rebuild wpa_supplicant: EAP-pwd peer: Fix error path for unexpected Confirm message This patch is available from http://w1.fi/security/2015-8/ - Update to wpa_supplicant v2.6 or newer, once available - Remove CONFIG_EAP_PWD=y from build configuration - Disable EAP-pwd in runtime configuration -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap