Bug 1221178 (CVE-2015-4142) - CVE-2015-4142 wpa_supplicant and hostapd: integer underflow in AP mode WMM Action frame processing
Summary: CVE-2015-4142 wpa_supplicant and hostapd: integer underflow in AP mode WMM Ac...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-4142
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1221552 1221553 1221554 1221555 1222015 1222016 1226396
Blocks: 1193283 1211193 1219461
TreeView+ depends on / blocked
 
Reported: 2015-05-13 12:37 UTC by Martin Prpič
Modified: 2021-02-17 05:18 UTC (History)
4 users (show)

Fixed In Version: wpa_supplicant 2.5, hostapd 2.5
Doc Type: Bug Fix
Doc Text:
An integer underflow flaw, leading to a buffer over-read, was found in the way wpa_supplicant handled WMM Action frames. A specially crafted frame could possibly allow an attacker within Wi-Fi radio range to cause wpa_supplicant to crash.
Clone Of:
Environment:
Last Closed: 2015-07-22 08:38:25 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1090 0 normal SHIPPED_LIVE Important: wpa_supplicant security and enhancement update 2015-06-11 21:47:52 UTC
Red Hat Product Errata RHSA-2015:1439 0 normal SHIPPED_LIVE Low: wpa_supplicant security and enhancement update 2015-07-20 18:05:50 UTC

Description Martin Prpič 2015-05-13 12:37:28 UTC
The following flaw was found in wpa_supplicant:

A vulnerability was found in WMM Action frame processing in a case where hostapd or wpa_supplicant is used to implement AP mode MLME/SME functionality (i.e., Host AP driver of a mac80211-based driver on Linux).

The AP mode WMM Action frame parser in hostapd/wpa_supplicant goes through the variable length information element part with the length of this area calculated by removing the header length from the total length of the frame. The frame length is previously verified to be large enough to include the IEEE 802.11 header, but the couple of additional bytes after this header are not explicitly verified and as a result of this, there may be an integer underflow that results in the signed integer variable storing the length becoming negative. This negative value is then interpreted as a very large unsigned integer length when parsing the information elements. This results in a buffer read overflow and process termination.

This vulnerability can be used to perform denial of service attacks by an attacker that is within radio range of the AP that uses hostapd of wpa_supplicant for MLME/SME operations.

Vulnerable versions/configurations

hostapd v0.5.5-v2.4 with CONFIG_DRIVER_HOSTAP=y or CONFIG_DRIVER_NL80211=y in the build configuration (hostapd/.config).

wpa_supplicant v0.7.0-v2.4 with CONFIG_AP=y or CONFIG_P2P=y and CONFIG_DRIVER_HOSTAP=y or CONFIG_DRIVER_NL80211=y in the build configuration (wpa_supplicant/.config) and AP (including P2P GO) mode used at runtime.

Upstream patch:

http://w1.fi/security/2015-3/

Possible workarounds:

- wpa_supplicant: Do not enable AP mode or P2P GO operation at runtime

CVE request:

http://seclists.org/oss-sec/2015/q2/397

External References:

http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt

Comment 1 Tomas Hoger 2015-05-14 09:05:41 UTC
Upstream commit:

http://w1.fi/cgit/hostap/commit/?id=ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae

Affected code does not exist in wpa_supplicant packages in Red Hat Enterprise Linux 5 and earlier.  The wpa_supplicant packages in Red Hat Enterprise Linux 6 and 7 contain affected code and built with require configuration option.  However, this only affects less common wpa_supplicant configurations.

Comment 2 Tomas Hoger 2015-05-14 10:55:58 UTC
Created hostapd tracking bugs for this issue:

Affects: fedora-all [bug 1221553]
Affects: epel-6 [bug 1221554]
Affects: epel-7 [bug 1221555]

Comment 3 Tomas Hoger 2015-05-14 10:56:02 UTC
Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1221552]

Comment 5 Fedora Update System 2015-05-26 03:17:08 UTC
hostapd-2.4-2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2015-05-27 16:04:12 UTC
hostapd-2.4-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-05-27 16:27:35 UTC
hostapd-2.4-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-06-04 15:54:42 UTC
hostapd-2.4-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2015-06-04 15:58:20 UTC
hostapd-2.0-6.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 errata-xmlrpc 2015-06-11 17:48:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1090 https://rhn.redhat.com/errata/RHSA-2015-1090.html

Comment 12 errata-xmlrpc 2015-07-22 07:46:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1439 https://rhn.redhat.com/errata/RHSA-2015-1439.html

Comment 14 Fedora Update System 2015-11-12 23:28:08 UTC
wpa_supplicant-2.4-6.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-11-23 23:20:21 UTC
wpa_supplicant-2.0-17.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-11-24 22:24:44 UTC
wpa_supplicant-2.4-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.