Bug 1211191 (CVE-2015-1863)

Summary: CVE-2015-1863 wpa_supplicant: P2P SSID processing vulnerability
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, dcbw, rkhan, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wpa_supplicant 2.5 Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was found in the way wpa_supplicant handled SSID information in the Wi-Fi Direct / P2P management frames. A specially crafted frame could allow an attacker within Wi-Fi radio range to cause wpa_supplicant to crash or, possibly, execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-11 18:40:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1215134, 1215890, 1215891    
Bug Blocks: 1211193    
Attachments:
Description Flags
0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch none

Description Vasyl Kaigorodov 2015-04-13 09:37:54 UTC 
A vulnerability in P2P functionality in wpa_supplicant has been discovered.

A vulnerability was found in how wpa_supplicant uses SSID information
parsed from management frames that create or update P2P peer entries
(e.g., Probe Response frame or number of P2P Public Action frames). SSID
field has valid length range of 0-32 octets. However, it is transmitted
in an element that has a 8-bit length field and potential maximum
payload length of 255 octets. wpa_supplicant was not sufficiently
verifying the payload length on one of the code paths using the SSID
received from a peer device.

This can result in copying arbitrary data from an attacker to a fixed
length buffer of 32 bytes (i.e., a possible overflow of up to 223
bytes). The SSID buffer is within struct p2p_device that is allocated
from heap. The overflow can override couple of variables in the struct,
including a pointer that gets freed. In addition about 150 bytes (the
exact length depending on architecture) can be written beyond the end of
the heap allocation.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to wpa_supplicant process crash, exposure of memory contents during
GO Negotiation, and potentially arbitrary code execution.

Vulnerable versions/configurations

wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled

Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a suitably constructed
management frame that triggers a P2P peer device information to be
created or updated.

The vulnerability is easiest to exploit while the device has started an
active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
interface command in progress). However, it may be possible, though
significantly more difficult, to trigger this even without any active
P2P operation in progress.

Possible mitigation steps

- Merge the following commits to wpa_supplicant and rebuild it:

  P2P: Validate SSID element length before copying it

  This patch is available from http://w1.fi/security/2015-1/

- Update to wpa_supplicant v2.5 or newer, once available

- Disable P2P (control interface command "P2P_SET disabled 1" or
  "p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant
  configuration file)

External References:

http://w1.fi/security/2015-1/

Acknowledgements:

Red Hat would like to thank Jouni Malinen of the wpa_supplicant upstream for reporting this issue. Upstream acknowledges Alibaba security team as the original reporter.
Comment 1 Vasyl Kaigorodov 2015-04-15 10:00:53 UTC 
Created attachment 1014657 [details]
0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch

Suggested patch
Comment 2 Tomas Hoger 2015-04-24 11:38:17 UTC 
Public now via upstream advisory:

http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt

Upstream commit:

http://w1.fi/cgit/hostap/commit/?id=9ed4eee345f85e3025c33c6e20aa25696e341ccd
Comment 3 Tomas Hoger 2015-04-24 11:39:49 UTC 
Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1215134]
Comment 4 Tomas Hoger 2015-04-24 12:33:43 UTC 
Alibaba security team advisory:

http://security.alibaba.com/blog/blog.htm?id=19
http://seclists.org/fulldisclosure/2015/Apr/82
Comment 5 Tomas Hoger 2015-04-27 14:08:01 UTC 
This issue only affected wpa_supplicant versions 1.0 and later.  The wpa_supplicant packages in Red Hat Enterprise Linux 6 and earlier are based on older upstream versions (0.x), which do not include vulnerable code and hence are not affected.

The wpa_supplicant is commonly used with NetworkManager.  The NetworkManager in Red Hat Enterprise Linux 7 does not configure wpa_supplicant to search for or create P2P / WLAN Direct networks.  Upstream advisory notes that such configurations that do not perform any active P2P operations are also affected, but the issue is harder to trigger.

Raising priority, as wpa_supplicant is typically run as root.

Statement:

This issue did not affect the wpa_supplicant versions as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 8 errata-xmlrpc 2015-06-11 17:48:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1090 https://rhn.redhat.com/errata/RHSA-2015-1090.html