Bug 1241905 (CVE-2015-8041)

Summary: CVE-2015-8041 hostapd and wpa_supplicant: Incomplete WPS and P2P NFC NDEF record payload length validation
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dcbw, jklimes, linville, lkundrak, negativo17, rkhan, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: hostapd 2.5, wpa_supplicant 2.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-16 13:49:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1241906, 1241907, 1241908    
Bug Blocks: 1241914    

Description Vasyl Kaigorodov 2015-07-10 12:03:24 UTC 
Quoting from the hostapd/wpa_supplicant 2015-5 advisory:

A vulnerability was found in NDEF record parsing implementation in
hostapd and wpa_supplicant. This code is used when an NFC Tag or NFC
connection handover is used to trigger WPS or P2P operations. The parser
did include bounds checking for the NDEF record payload length, but due
to insufficient integer size, it was possible to trigger integer
overflow that would result in bypassing the validation step with some
malformed NDEF records.

This could result in denial of service due to hostapd/wpa_supplicant
process termination (buffer read overflow) or infinite loop. The issue
can be triggered only if the NFC stack on the device does not perform
required validation steps for received NFC messages before sending the
received message to hostapd/wpa_supplicant for processing.

It was possible for the 32-bit record->total_length value to end up
wrapping around due to integer overflow if the longer form of payload
length field is used and record->payload_length gets a value close to
2^32. This could result in ndef_parse_record() accepting a too large
payload length value and the record type filter reading up to about 20
bytes beyond the end of the buffer and potentially killing the process.
This could also result in an attempt to allocate close to 2^32 bytes of
heap memory and if that were to succeed, a buffer read overflow of the
same length which would most likely result in the process termination.
In case of record->total_length ending up getting the value 0, there
would be no buffer read overflow, but record parsing would result in an
infinite loop in ndef_parse_records().

Any of these error cases could potentially be used for denial of service
attacks over NFC by using a malformed NDEF record on an NFC Tag or
sending them during NFC connection handover if the application providing
the NDEF message to hostapd/wpa_supplicant did no validation of the
received NDEF records. While such validation is likely done in the NFC
stack that needs to parse the NFC messages before further processing,
hostapd/wpa_supplicant should have (re)confirmed NDEF message validity
properly.


Vulnerable versions/configurations

hostapd v0.7.0-v2.4 with CONFIG_WPS_NFC=y in the build configuration
(hostapd/.config) and NFC NDEF records passed to hostapd by the NFC
stack without validation.

wpa_supplicant v0.7.0-v2.4 with CONFIG_WPS_NFC=y in the build
configuration (wpa_supplicant/.config) and NFC NDEF records passed to
wpa_supplicant by the NFC stack without validation.

Note: No NFC stack implementation has yet been identified with
capability to pass the malformed NDEF record to
hostapd/wpa_supplicant. As such, it is not known whether this issue can
be triggered in practice.

Alternatively to an actual NFC operation trigger, the malformed NDEF
records could be provided by other applications running on the same
device if access to the hostapd/wpa_supplicant control interface is
available to untrusted components or users.


Upstream patch:

http://w1.fi/security/2015-5/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch

External References:

http://w1.fi/security/2015-5/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt
Comment 1 Vasyl Kaigorodov 2015-07-10 12:04:54 UTC 
Created hostapd tracking bugs for this issue:

Affects: fedora-all [bug 1241906]
Affects: epel-all [bug 1241908]
Comment 2 Vasyl Kaigorodov 2015-07-10 12:04:56 UTC 
Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1241907]
Comment 3 Tomas Hoger 2015-07-16 13:49:15 UTC 
The wpa_supplicant packages in Red Hat Enterprise Linux 5 and earlier are not affected, as they do not include vulnerable code.

The wpa_supplicant packages in Red Hat Enterprise Linux 6 and 7 are also not affected, as the vulnerable code is not compiled in (packages are not built with the CONFIG_WPS_NFC build option).

The wpa_supplicant and hostapd packages in Fedora and Fedora EPEL are also built without affected code / without CONFIG_WPS_NFC, and are unaffected.

Statement:

Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6 and 7.
Comment 4 Tomas Hoger 2015-07-16 13:55:38 UTC 
Upstream commit:

http://w1.fi/cgit/hostap/commit/?id=df9079e72760ceb7ebe7fb11538200c516bdd886
Comment 5 Fedora Update System 2015-07-23 08:59:35 UTC 
hostapd-2.4-3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-07-23 08:59:55 UTC 
hostapd-2.4-3.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-07-30 05:03:45 UTC 
hostapd-2.4-3.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.