Bug#927463: wpa: EAP-pwd message reassembly issue with unexpected fragment
Hi, On Sat, 20 Apr 2019 at 08:15, Salvatore Bonaccorso wrote: > Hi > > From [1] > > > EAP-pwd message reassembly issue with unexpected fragment > > > > Published: April 18, 2019 > > Latest version available from: https://w1.fi/security/2019-5/ Thanks for filing the bug. I was aware of this issue but since I was about to leave for a holiday, I did nothing on that front :) I will address it tomorrow. -- Cheers, Andrej
Bug#927463: wpa: EAP-pwd message reassembly issue with unexpected fragment
Source: wpa Version: 2:2.7+git20190128+0c1e29f-4 Severity: important Tags: patch security upstream Hi >From [1] > EAP-pwd message reassembly issue with unexpected fragment > > Published: April 18, 2019 > Latest version available from: https://w1.fi/security/2019-5/ > > Vulnerability > > EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP > peer) was discovered not to validate fragmentation reassembly state > properly for a case where an unexpected fragment could be received. This > could result in process termination due to NULL pointer dereference. > > An attacker in radio range of a station device with wpa_supplicant > network profile enabling use of EAP-pwd could cause the wpa_supplicant > process to terminate by constructing unexpected sequence of EAP > messages. An attacker in radio range of an access point that points to > hostapd as an authentication server with EAP-pwd user enabled in runtime > configuration (or in non-WLAN uses of EAP authentication as long as the > attacker can send EAP-pwd messages to the server) could cause the > hostapd process to terminate by constructing unexpected sequence of EAP > messages. > > > Vulnerable versions/configurations > > All hostapd and wpa_supplicant versions with EAP-pwd support > (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled > in the runtime configuration) are vulnerable against the process > termination (denial of service) attack. > > > Possible mitigation steps > > - Merge the following commits to wpa_supplicant/hostapd and rebuild: > > EAP-pwd peer: Fix reassembly buffer handling > EAP-pwd server: Fix reassembly buffer handling > > These patches are available from https://w1.fi/security/2019-5/ > > - Update to wpa_supplicant/hostapd v2.8 or newer, once available [1] https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt Not a CVE assigned AFAIK (yet). Regards, Salvatore
