[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] wpa_supplicant/hostapd: EAP-pwd message reassembly issue with unexpected fragment
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2019-04-26 21:45:29
Message-ID: 20190426214529.GA7525 () eldamar ! local
[Download RAW message or body]

Hi,

On Thu, Apr 18, 2019 at 06:59:26PM +0300, Jouni Malinen wrote:
> Published: April 18, 2019
> Latest version available from: https://w1.fi/security/2019-5/
> 
> Vulnerability
> 
> EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP
> peer) was discovered not to validate fragmentation reassembly state
> properly for a case where an unexpected fragment could be received. This
> could result in process termination due to NULL pointer dereference.
> 
> An attacker in radio range of a station device with wpa_supplicant
> network profile enabling use of EAP-pwd could cause the wpa_supplicant
> process to terminate by constructing unexpected sequence of EAP
> messages. An attacker in radio range of an access point that points to
> hostapd as an authentication server with EAP-pwd user enabled in runtime
> configuration (or in non-WLAN uses of EAP authentication as long as the
> attacker can send EAP-pwd messages to the server) could cause the
> hostapd process to terminate by constructing unexpected sequence of EAP
> messages.
> 
> 
> Vulnerable versions/configurations
> 
> All hostapd and wpa_supplicant versions with EAP-pwd support
> (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
> in the runtime configuration) are vulnerable against the process
> termination (denial of service) attack.
> 
> 
> Possible mitigation steps
> 
> - Merge the following commits to wpa_supplicant/hostapd and rebuild:
> 
>   EAP-pwd peer: Fix reassembly buffer handling
>   EAP-pwd server: Fix reassembly buffer handling
> 
>   These patches are available from https://w1.fi/security/2019-5/
> 
> - Update to wpa_supplicant/hostapd v2.8 or newer, once available

MITRE (via cveform.mitre.org) assigned CVE-2019-11555 for this issue.

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]