<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: wpa_supplicant/hostapd: EAP-pwd message reassembly issue with unexpected fragment
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 26 Apr 2019 23:45:29 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,
On Thu, Apr 18, 2019 at 06:59:26PM +0300, Jouni Malinen wrote:
Published: April 18, 2019
Latest version available from: https://w1.fi/security/2019-5/
Vulnerability
EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP
peer) was discovered not to validate fragmentation reassembly state
properly for a case where an unexpected fragment could be received. This
could result in process termination due to NULL pointer dereference.
An attacker in radio range of a station device with wpa_supplicant
network profile enabling use of EAP-pwd could cause the wpa_supplicant
process to terminate by constructing unexpected sequence of EAP
messages. An attacker in radio range of an access point that points to
hostapd as an authentication server with EAP-pwd user enabled in runtime
configuration (or in non-WLAN uses of EAP authentication as long as the
attacker can send EAP-pwd messages to the server) could cause the
hostapd process to terminate by constructing unexpected sequence of EAP
messages.
Vulnerable versions/configurations
All hostapd and wpa_supplicant versions with EAP-pwd support
(CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
in the runtime configuration) are vulnerable against the process
termination (denial of service) attack.
Possible mitigation steps
- Merge the following commits to wpa_supplicant/hostapd and rebuild:
EAP-pwd peer: Fix reassembly buffer handling
EAP-pwd server: Fix reassembly buffer handling
These patches are available from https://w1.fi/security/2019-5/
- Update to wpa_supplicant/hostapd v2.8 or newer, once available
MITRE (via cveform.mitre.org) assigned CVE-2019-11555 for this issue.
Regards,
Salvatore
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
wpa_supplicant/hostapd: EAP-pwd message reassembly issue with unexpected fragment Jouni Malinen (Apr 18)
Re: wpa_supplicant/hostapd: EAP-pwd message reassembly issue with unexpected fragment Salvatore Bonaccorso (Apr 26)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->