Bug 1219449 (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)

Summary: CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146 wpa_supplicant and hostapd: EAP-pwd missing payload length validation
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, dcbw, linville, negativo17, rkhan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: hostapd 2.5, wpa_supplicant 2.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-13 13:33:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1219452, 1219453, 1219454, 1219455    
Bug Blocks: 1219461    

Description Martin Prpič 2015-05-07 11:56:07 UTC
The following flaw was found in the EAP-pwd server and peer implementation of wpa_supplicant and hostapd:

The EAP-pwd/Commit and EAP-pwd/Confirm message payload is processed without verifying that the received frame is long enough to include all the fields. This results in buffer read overflow of up to couple of hundred bytes.

The exact result of this buffer overflow depends on the platform and may be either not noticeable (i.e., authentication fails due to invalid data without any additional side effects) or process termination due to the buffer read overflow being detected and stopped. The latter case could potentially result in denial of service when EAP-pwd authentication is used.

Further research into this issue found that the fragment reassembly processing is also missing a check for the Total-Length field and this could result in the payload length becoming negative. This itself would not add more to the vulnerability due to the payload length not being verified anyway. However, it is possible that a related reassembly step would result in hitting an internal security check on buffer use and result in the processing being terminated.

Note that this issue affects instances with CONFIG_EAP_PWD=y and EAP-pwd authentication server enabled in runtime configuration.

Upstream patches:

http://w1.fi/security/2015-4/

External References:

http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt

Comment 1 Martin Prpič 2015-05-07 11:57:13 UTC
Created hostapd tracking bugs for this issue:

Affects: fedora-all [bug 1219453]
Affects: epel-6 [bug 1219454]
Affects: epel-7 [bug 1219455]

Comment 2 Martin Prpič 2015-05-07 11:57:16 UTC
Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1219452]

Comment 3 John W. Linville 2015-05-07 19:09:48 UTC
We are not enabling the option with the reported problem.

Comment 5 Tomas Hoger 2015-05-13 13:33:01 UTC
Affected code does not exist in wpa_supplicant versions in Red Hat Enterprise Linux 6 and earlier.  The wpa_supplicant packages in Red Hat Enterprise Linux 7, and the wpa_supplicant and hostapd packages in Fedora and Fedora EPEL are not built with the CONFIG_EAP_PWD configuration option and hence are also unaffected.

Statement:

Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6, and 7.

Comment 6 Dan Williams 2015-05-14 21:26:57 UTC
I fear however that if we get a request to add EAP-PWD in the future, that we'll miss this security fix and just add CONFIG_EAP_PWD to the build config and re-introduce the vulnerability...  It's unlikely that we'll rebase the supplicant (and thus pick up the fix) due to the QE impact of doing so.

Comment 8 Tomas Hoger 2015-06-01 06:56:37 UTC
Four CVEs were assigned to fixes under this upstream advisory.  Quoting form:

http://seclists.org/oss-sec/2015/q2/595

"""
Use CVE-2015-4143 for the "The length of the received Commit and
Confirm message payloads was not checked before reading them. This
could result in a buffer read overflow when processing an invalid
message." issues in both
0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch and
0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch.

Use CVE-2015-4144 for "The remaining number of bytes in the message
could be smaller than the Total-Length field size, so the length needs
to be explicitly checked prior to reading the field and decrementing
the len variable. This could have resulted in the remaining length
becoming negative and interpreted as a huge positive integer." in both
0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and
0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch.

Use CVE-2015-4145 for "check that there is no already started fragment
in progress before allocating a new buffer for reassembling fragments.
This avoid a potential memory leak when processing invalid message."
in both
0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and
0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch.

Use CVE-2015-4146 for
0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch.
"""