Bug 1221172 (CVE-2015-4141)

Summary: CVE-2015-4141 wpa_supplicant and hostapd: WPS UPnP vulnerability with HTTP chunked transfer encoding
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dcbw, jrusnack, linville, negativo17, rkhan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wpa_supplicant 2.5, hostapd 2.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-13 12:25:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1219461    

Description Martin Prpič 2015-05-13 12:23:36 UTC 
The following flaw was found in wpa_supplicant:

A vulnerability was found in the WPS UPnP function shared by hostapd (WPS AP) and wpa_supplicant (WPS external registrar). The HTTP implementation used for the UPnP operations uses a signed integer for storing the length of a HTTP chunk when the chunked transfer encoding and may end up using a negative value when the chunk length is indicated as 0x8000000 or longer. The length validation steps do not handle the negative value properly and may end up accepting the length and passing a negative value to the memcpy when copying the received data from a stack buffer to a heap buffer allocated for the full request. This results in stack buffer read overflow and heap buffer write overflow.

Taken into account both hostapd and wpa_supplicant use only a single thread, the memcpy call with a negative length value results in heap corruption, but due to the negative parameter being interpreted as a huge positive integer, process execution terminates in practice before being able to run any following operations with the corrupted heap. This may allow a possible denial of service attack through hostapd/wpa_supplicant process termination under certain conditions.

WPS UPnP operations are performed over a trusted IP network connection, i.e., an attack against this vulnerability requires the attacker to have access to the IP network. In addition, this requires the WPS UPnP functionality to be enabled at runtime. For WPS AP (hostapd) with a wired network connectivity, this is commonly enabled. For WPS station (wpa_supplicant) WPS UPnP functionality is used only when WPS ER functionality has been enabled at runtime (WPS_ER_START command issued over the control interface). The vulnerable functionality is not reachable without that command having been issued.

Vulnerable versions/configurations

hostapd v0.7.0-v2.4 with CONFIG_WPS_UPNP=y in the build configuration (hostapd/.config) and upnp_iface parameter included in the runtime configuration.

wpa_supplicant v0.7.0-v2.4 with CONFIG_WPS_ER=y in the build configuration (wpa_supplicant/.config) and WPS ER functionality enabled at runtime with WPS_ER_START control interface command.

Upstream patch:

http://w1.fi/security/2015-2/

Possible workarounds:

- Disable WPS UPnP in hostapd runtime configuration (remove the upnp_iface parameter from the configuration file)

- Do not enable WPS ER at runtime in wpa_supplicant (WPS_ER_START control interface command)

- Disable WPS UPnP/ER from the build (remove CONFIG_WPS_UPNP=y from hostapd/.config and CONFIG_WPS_ER=y from wpa_supplicant/.config)

CVE request:

http://seclists.org/oss-sec/2015/q2/396

External References:

http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt
Comment 1 Martin Prpič 2015-05-13 12:25:09 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux versions 5, 6, and 7.
Comment 2 Tomas Hoger 2015-05-13 13:51:38 UTC 
Upstream commit:

http://w1.fi/cgit/hostap/commit/?id=5acd23f4581da58683f3cf5e36cb71bbe4070bd7

Affected code does not exist in wpa_supplicant versions in Red Hat Enterprise Linux 5 and earlier.  The wpa_supplicant packages in Red Hat Enterprise Linux 6 and 7, and the wpa_supplicant and hostapd packages in Fedora and Fedora EPEL are not built with the CONFIG_WPS_ER or CONFIG_WPS_UPNP configuration options and hence are also unaffected.