Bugzilla – Bug 930079
VUL-0: CVE-2015-4143: wpa_supplicant: EAP-pwd missing payload length validation
Last modified: 2020-11-27 11:18:54 UTC
http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt EAP-pwd missing payload length validation Published: May 4, 2015 Latest version available from: http://w1.fi/security/2015-4/ Vulnerability A vulnerability was found in EAP-pwd server and peer implementation used in hostapd and wpa_supplicant, respectively. The EAP-pwd/Commit and EAP-pwd/Confirm message payload is processed without verifying that the received frame is long enough to include all the fields. This results in buffer read overflow of up to couple of hundred bytes. The exact result of this buffer overflow depends on the platform and may be either not noticeable (i.e., authentication fails due to invalid data without any additional side effects) or process termination due to the buffer read overflow being detected and stopped. The latter case could potentially result in denial of service when EAP-pwd authentication is used. Further research into this issue found that the fragment reassembly processing is also missing a check for the Total-Length field and this could result in the payload length becoming negative. This itself would not add more to the vulnerability due to the payload length not being verified anyway. However, it is possible that a related reassembly step would result in hitting an internal security check on buffer use and result in the processing being terminated. Vulnerable versions/configurations hostapd v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration (hostapd/.config) and EAP-pwd authentication server enabled in runtime configuration. wpa_supplicant v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network profile at runtime. Acknowledgments Thanks to Kostya Kortchinsky of Google Security Team for discovering and reporting this issue. Possible mitigation steps - Merge the following commits and rebuild hostapd/wpa_supplicant: EAP-pwd peer: Fix payload length validation for Commit and Confirm EAP-pwd server: Fix payload length validation for Commit and Confirm EAP-pwd peer: Fix Total-Length parsing for fragment reassembly EAP-pwd server: Fix Total-Length parsing for fragment reassembly EAP-pwd peer: Fix asymmetric fragmentation behavior These patches are available from http://w1.fi/security/2015-4/ - Update to hostapd/wpa_supplicant v2.5 or newer, once available - Remove CONFIG_EAP_PWD=y from build configuration - Disable EAP-pwd in runtime configuration 5 patches below http://w1.fi/security/2015-4/
sle11-sp2 not affected (version 0.7.1)
created request id 57202 (target SUSE:Maintenance:453)
bugbot adjusting priority
mr 13.1: created request id Request: #305846 mr 13.2: created request id Request: #305847
created request id 305848 (for devel project hardware for factory)
This is an autogenerated message for OBS integration: This bug (930079) was mentioned in https://build.opensuse.org/request/show/305846 13.1 / wpa_supplicant https://build.opensuse.org/request/show/305847 13.2 / wpa_supplicant
This issue got 4 CVEs assigned. http://www.openwall.com/lists/oss-security/2015/05/31/6 Use CVE-2015-4143 for the "The length of the received Commit and Confirm message payloads was not checked before reading them. This could result in a buffer read overflow when processing an invalid message." issues in both 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch and 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch. Use CVE-2015-4144 for "The remaining number of bytes in the message could be smaller than the Total-Length field size, so the length needs to be explicitly checked prior to reading the field and decrementing the len variable. This could have resulted in the remaining length becoming negative and interpreted as a huge positive integer." in both 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch. Use CVE-2015-4145 for "check that there is no already started fragment in progress before allocating a new buffer for reassembling fragments. This avoid a potential memory leak when processing invalid message." in both 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch. Use CVE-2015-4146 for 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch.
openSUSE-SU-2015:1030-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143 Sources used: openSUSE 13.2 (src): wpa_supplicant-2.2-5.7.1 openSUSE 13.1 (src): wpa_supplicant-2.0-3.14.1
This is an autogenerated message for OBS integration: This bug (930079) was mentioned in https://build.opensuse.org/request/show/345591 Factory / hostapd
SUSE-SU-2016:2305-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 930077,930078,930079,937419,952254 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-5310,CVE-2015-8041 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): wpa_supplicant-2.2-14.2 SUSE Linux Enterprise Desktop 12-SP1 (src): wpa_supplicant-2.2-14.2
openSUSE-SU-2016:2357-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 930077,930078,930079,937419,952254 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-5310,CVE-2015-8041 Sources used: openSUSE Leap 42.1 (src): wpa_supplicant-2.2-8.1
fixed
openSUSE-SU-2017:2896-1: An update that fixes 14 vulnerabilities is now available. Category: security (important) Bug References: 1063479,930077,930078,930079 CVE References: CVE-2015-1863,CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-4144,CVE-2015-4145,CVE-2015-5314,CVE-2016-4476,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13087,CVE-2017-13088 Sources used: openSUSE Leap 42.3 (src): hostapd-2.6-8.1 openSUSE Leap 42.2 (src): hostapd-2.6-5.3.1
SUSE-SU-2020:3380-1: An update that fixes 22 vulnerabilities, contains one feature is now available. Category: security (moderate) Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499 JIRA References: SLE-14992 Sources used: SUSE Linux Enterprise Server for SAP 15 (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise Server 15-LTSS (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): wpa_supplicant-2.9-4.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:2053-1: An update that fixes 22 vulnerabilities is now available. Category: security (moderate) Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499 JIRA References: Sources used: openSUSE Leap 15.1 (src): wpa_supplicant-2.9-lp151.5.10.1
openSUSE-SU-2020:2059-1: An update that fixes 22 vulnerabilities is now available. Category: security (moderate) Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499 JIRA References: Sources used: openSUSE Leap 15.2 (src): wpa_supplicant-2.9-lp152.8.3.1