oss-sec mailing list archives
Re: wpa_supplicant/hostapd: EAP-pwd message reassembly issue with unexpected fragment
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 26 Apr 2019 23:45:29 +0200
Hi, On Thu, Apr 18, 2019 at 06:59:26PM +0300, Jouni Malinen wrote:
Published: April 18, 2019 Latest version available from: https://w1.fi/security/2019-5/ Vulnerability EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) was discovered not to validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to NULL pointer dereference. An attacker in radio range of a station device with wpa_supplicant network profile enabling use of EAP-pwd could cause the wpa_supplicant process to terminate by constructing unexpected sequence of EAP messages. An attacker in radio range of an access point that points to hostapd as an authentication server with EAP-pwd user enabled in runtime configuration (or in non-WLAN uses of EAP authentication as long as the attacker can send EAP-pwd messages to the server) could cause the hostapd process to terminate by constructing unexpected sequence of EAP messages. Vulnerable versions/configurations All hostapd and wpa_supplicant versions with EAP-pwd support (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled in the runtime configuration) are vulnerable against the process termination (denial of service) attack. Possible mitigation steps - Merge the following commits to wpa_supplicant/hostapd and rebuild: EAP-pwd peer: Fix reassembly buffer handling EAP-pwd server: Fix reassembly buffer handling These patches are available from https://w1.fi/security/2019-5/ - Update to wpa_supplicant/hostapd v2.8 or newer, once available
MITRE (via cveform.mitre.org) assigned CVE-2019-11555 for this issue. Regards, Salvatore
Current thread:
- wpa_supplicant/hostapd: EAP-pwd message reassembly issue with unexpected fragment Jouni Malinen (Apr 18)
- Re: wpa_supplicant/hostapd: EAP-pwd message reassembly issue with unexpected fragment Salvatore Bonaccorso (Apr 26)