The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of service (memory leak) via a crafted message.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Hostapd | W1.fi | 1.0 (including) | 1.0 (including) |
| Hostapd | W1.fi | 1.1 (including) | 1.1 (including) |
| Hostapd | W1.fi | 2.0 (including) | 2.0 (including) |
| Hostapd | W1.fi | 2.1 (including) | 2.1 (including) |
| Hostapd | W1.fi | 2.2 (including) | 2.2 (including) |
| Hostapd | W1.fi | 2.3 (including) | 2.3 (including) |
| Hostapd | W1.fi | 2.4 (including) | 2.4 (including) |
| Hostapd | Ubuntu | upstream | * |
| Wpa | Ubuntu | devel | * |
| Wpa | Ubuntu | esm-infra-legacy/trusty | * |
| Wpa | Ubuntu | trusty | * |
| Wpa | Ubuntu | trusty/esm | * |
| Wpa | Ubuntu | upstream | * |
| Wpa | Ubuntu | utopic | * |
| Wpa | Ubuntu | vivid | * |
| Wpa | Ubuntu | vivid/stable-phone-overlay | * |
| Wpa | Ubuntu | vivid/ubuntu-core | * |
| Wpasupplicant | Ubuntu | upstream | * |
References
- http://lists.opensuse.org/opensuse-updates/2015-06/msg00019.html
- http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
- http://www.debian.org/security/2015/dsa-3397
- http://www.openwall.com/lists/oss-security/2015/05/09/6
- http://www.openwall.com/lists/oss-security/2015/05/31/6
- http://www.ubuntu.com/usn/USN-2650-1
- https://security.gentoo.org/glsa/201606-17
- http://lists.opensuse.org/opensuse-updates/2015-06/msg00019.html
- http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
- http://www.debian.org/security/2015/dsa-3397
- http://www.openwall.com/lists/oss-security/2015/05/09/6
- http://www.openwall.com/lists/oss-security/2015/05/31/6
- http://www.ubuntu.com/usn/USN-2650-1
- https://security.gentoo.org/glsa/201606-17