Bug 1278373 (CVE-2015-5314)

Summary: CVE-2015-5314 hostapd: EAP-pwd missing last fragment length validation
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: hostapd 2.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-05 11:25:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1277868    
Attachments:
Description Flags
EAP-pwd peer: Fix last fragment length validation
none
EAP-pwd server: Fix last fragment length validation none

Description Martin Prpič 2015-11-05 11:12:07 UTC 
The following flaw was reported in hostapd:

A vulnerability was found in EAP-pwd server and peer implementation used in hostapd and wpa_supplicant, respectively. When an incoming EAP-pwd message is fragmented, the remaining reassembly buffer length was not checked for the last fragment (but was checked for other fragments). This allowed a suitably constructed last fragment frame to try to add extra data that would go beyond the buffer. The length validation code in wpabuf_put_data() prevents an actual buffer write overflow from occurring, but this results in process termination.

For hostapd used with an internal EAP server and EAP-pwd enabled in the runtime configuration, this could allow a denial of service attack by an attacker within radio range of the AP device.

For hostapd used as a RADIUS server with EAP-pwd enabled in the runtime configuration, this could allow a denial of service attack by an attacker within radio range of any AP device that is authorized to use the RADIUS server.

Vulnerable versions/configurations:

hostapd v1.0-v2.5 with CONFIG_EAP_PWD=y in the build configuration (hostapd/.config) and EAP-pwd authentication server enabled in runtime configuration.

Possible workarounds:

- Remove CONFIG_EAP_PWD=y from build configuration

- Disable EAP-pwd in runtime configuration

The related issue in wpa_supplicant is filed under CVE-2015-5315.

External References:

http://w1.fi/security/2015-7/
Comment 1 Martin Prpič 2015-11-05 11:23:59 UTC 
Created attachment 1090026 [details]
EAP-pwd peer: Fix last fragment length validation
Comment 2 Martin Prpič 2015-11-05 11:24:17 UTC 
Created attachment 1090027 [details]
EAP-pwd server: Fix last fragment length validation
Comment 3 Martin Prpič 2015-11-05 11:25:46 UTC 
The hostapd packages in Fedora are not built with the CONFIG_EAP_PWD configuration option and hence are not affected.