Bug 930079 (CVE-2015-4143)

Summary: VUL-0: CVE-2015-4143: wpa_supplicant: EAP-pwd missing payload length validation
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Ruediger Oertel <ro>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, jsegitz, krahmer, vbotka
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:RedHat:CVE-2015-4146:2.9:(AV:A/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-4143:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-4146:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-4144:2.9:(AV:A/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-4145:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-4143:2.9:(AV:A/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-4145:2.9:(AV:A/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-4144:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2015-05-07 14:22:13 UTC 
http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt

EAP-pwd missing payload length validation

Published: May 4, 2015
Latest version available from: http://w1.fi/security/2015-4/


Vulnerability

A vulnerability was found in EAP-pwd server and peer implementation used
in hostapd and wpa_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that the
received frame is long enough to include all the fields. This results in
buffer read overflow of up to couple of hundred bytes.

The exact result of this buffer overflow depends on the platform and may
be either not noticeable (i.e., authentication fails due to invalid data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is
used.

Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.


Vulnerable versions/configurations

hostapd v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.

wpa_supplicant v1.0-v2.4 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.


Acknowledgments

Thanks to Kostya Kortchinsky of Google Security Team for discovering and
reporting this issue.


Possible mitigation steps

- Merge the following commits and rebuild hostapd/wpa_supplicant:

  EAP-pwd peer: Fix payload length validation for Commit and Confirm
  EAP-pwd server: Fix payload length validation for Commit and Confirm
  EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  EAP-pwd peer: Fix asymmetric fragmentation behavior

  These patches are available from http://w1.fi/security/2015-4/

- Update to hostapd/wpa_supplicant v2.5 or newer, once available

- Remove CONFIG_EAP_PWD=y from build configuration

- Disable EAP-pwd in runtime configuration



5 patches below http://w1.fi/security/2015-4/
Comment 1 Ruediger Oertel 2015-05-07 15:12:52 UTC 
sle11-sp2 not affected (version 0.7.1)
Comment 2 Ruediger Oertel 2015-05-07 15:31:32 UTC 
created request id 57202 (target SUSE:Maintenance:453)
Comment 4 Swamp Workflow Management 2015-05-07 22:00:36 UTC 
bugbot adjusting priority
Comment 5 Ruediger Oertel 2015-05-07 22:22:24 UTC 
mr 13.1: created request id Request: #305846
mr 13.2: created request id Request: #305847
Comment 6 Ruediger Oertel 2015-05-07 22:34:10 UTC 
created request id 305848 (for devel project hardware for factory)
Comment 7 Bernhard Wiedemann 2015-05-07 23:00:23 UTC 
This is an autogenerated message for OBS integration:
This bug (930079) was mentioned in
https://build.opensuse.org/request/show/305846 13.1 / wpa_supplicant
https://build.opensuse.org/request/show/305847 13.2 / wpa_supplicant
Comment 9 Alexander Bergmann 2015-06-01 07:47:03 UTC 
This issue got 4 CVEs assigned.

http://www.openwall.com/lists/oss-security/2015/05/31/6

Use CVE-2015-4143 for the "The length of the received Commit and
Confirm message payloads was not checked before reading them. This
could result in a buffer read overflow when processing an invalid
message." issues in both
0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch and
0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch.

Use CVE-2015-4144 for "The remaining number of bytes in the message
could be smaller than the Total-Length field size, so the length needs
to be explicitly checked prior to reading the field and decrementing
the len variable. This could have resulted in the remaining length
becoming negative and interpreted as a huge positive integer." in both
0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and
0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch.

Use CVE-2015-4145 for "check that there is no already started fragment
in progress before allocating a new buffer for reassembling fragments.
This avoid a potential memory leak when processing invalid message."
in both
0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and
0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch.

Use CVE-2015-4146 for
0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch.
Comment 10 Swamp Workflow Management 2015-06-11 12:05:30 UTC 
openSUSE-SU-2015:1030-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 930077,930078,930079
CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143
Sources used:
openSUSE 13.2 (src):    wpa_supplicant-2.2-5.7.1
openSUSE 13.1 (src):    wpa_supplicant-2.0-3.14.1
Comment 13 Bernhard Wiedemann 2015-11-21 18:00:25 UTC 
This is an autogenerated message for OBS integration:
This bug (930079) was mentioned in
https://build.opensuse.org/request/show/345591 Factory / hostapd
Comment 15 Swamp Workflow Management 2016-09-14 17:10:16 UTC 
SUSE-SU-2016:2305-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 930077,930078,930079,937419,952254
CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-5310,CVE-2015-8041
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    wpa_supplicant-2.2-14.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    wpa_supplicant-2.2-14.2
Comment 16 Swamp Workflow Management 2016-09-23 14:12:08 UTC 
openSUSE-SU-2016:2357-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 930077,930078,930079,937419,952254
CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-5310,CVE-2015-8041
Sources used:
openSUSE Leap 42.1 (src):    wpa_supplicant-2.2-8.1
Comment 17 Johannes Segitz 2017-08-04 11:14:18 UTC 
fixed
Comment 18 Swamp Workflow Management 2017-10-27 22:19:10 UTC 
openSUSE-SU-2017:2896-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1063479,930077,930078,930079
CVE References: CVE-2015-1863,CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-4144,CVE-2015-4145,CVE-2015-5314,CVE-2016-4476,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13087,CVE-2017-13088
Sources used:
openSUSE Leap 42.3 (src):    hostapd-2.6-8.1
openSUSE Leap 42.2 (src):    hostapd-2.6-5.3.1
Comment 19 Swamp Workflow Management 2020-11-19 14:29:15 UTC 
SUSE-SU-2020:3380-1: An update that fixes 22 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079
CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499
JIRA References: SLE-14992
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    wpa_supplicant-2.9-4.20.1
SUSE Linux Enterprise Server 15-LTSS (src):    wpa_supplicant-2.9-4.20.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    wpa_supplicant-2.9-4.20.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    wpa_supplicant-2.9-4.20.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    wpa_supplicant-2.9-4.20.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    wpa_supplicant-2.9-4.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2020-11-26 20:41:19 UTC 
openSUSE-SU-2020:2053-1: An update that fixes 22 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079
CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    wpa_supplicant-2.9-lp151.5.10.1
Comment 21 Swamp Workflow Management 2020-11-27 11:18:54 UTC 
openSUSE-SU-2020:2059-1: An update that fixes 22 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079
CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    wpa_supplicant-2.9-lp152.8.3.1