Re: wpa_supplicant/hostapd: EAP-pwd message reassembly issue with unexpected fragment

[Salvatore Bonaccorso <carnil () debian org>]

Hi,

On Thu, Apr 18, 2019 at 06:59:26PM +0300, Jouni Malinen wrote:
> Published: April 18, 2019
> Latest version available from: https://w1.fi/security/2019-5/
>
> Vulnerability
>
> EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP
> peer) was discovered not to validate fragmentation reassembly state
> properly for a case where an unexpected fragment could be received. This
> could result in process termination due to NULL pointer dereference.
>
> An attacker in radio range of a station device with wpa_supplicant
> network profile enabling use of EAP-pwd could cause the wpa_supplicant
> process to terminate by constructing unexpected sequence of EAP
> messages. An attacker in radio range of an access point that points to
> hostapd as an authentication server with EAP-pwd user enabled in runtime
> configuration (or in non-WLAN uses of EAP authentication as long as the
> attacker can send EAP-pwd messages to the server) could cause the
> hostapd process to terminate by constructing unexpected sequence of EAP
> messages.
>
>
> Vulnerable versions/configurations
>
> All hostapd and wpa_supplicant versions with EAP-pwd support
> (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
> in the runtime configuration) are vulnerable against the process
> termination (denial of service) attack.
>
>
> Possible mitigation steps
>
> - Merge the following commits to wpa_supplicant/hostapd and rebuild:
>
>   EAP-pwd peer: Fix reassembly buffer handling
>   EAP-pwd server: Fix reassembly buffer handling
>
>   These patches are available from https://w1.fi/security/2019-5/
>
> - Update to wpa_supplicant/hostapd v2.8 or newer, once available

MITRE (via cveform.mitre.org) assigned CVE-2019-11555 for this issue.

Regards,
Salvatore