[v3.1] wpa_supplicant, hostapd: WPS UPnP vulnerability with HTTP chunked transfer encoding (CVE-2015-4141, CVE-2015-4142)
CVE-2015-4141:
A vulnerability was found in the WPS UPnP function shared by hostapd (WPS AP) and wpa_supplicant (WPS external registrar). The HTTP implementation used for the UPnP operations uses a signed integer for storing the length of a HTTP chunk when the chunked transfer encoding and may end up using a negative value when the chunk length is indicated as 0x8000000 or longer. The length validation steps do not handle the negative value properly and may end up accepting the length and passing a negative value to the memcpy when copying the received data from a stack buffer to a heap buffer allocated for the full request. This results in stack buffer read overflow and heap buffer write overflow.
Taken into account both hostapd and wpa_supplicant use only a single thread, the memcpy call with a negative length value results in heap corruption, but due to the negative parameter being interpreted as a huge positive integer, process execution terminates in practice before being able to run any following operations with the corrupted heap. This may allow a possible denial of service attack through hostapd/wpa_supplicant process termination under certain conditions.
WPS UPnP operations are performed over a trusted IP network connection, i.e., an attack against this vulnerability requires the attacker to have access to the IP network. In addition, this requires the WPS UPnP functionality to be enabled at runtime. For WPS AP (hostapd) with a wired network connectivity, this is commonly enabled. For WPS station (wpa_supplicant) WPS UPnP functionality is used only when WPS ER functionality has been enabled at runtime (WPS_ER_START command issued over the control interface). The vulnerable functionality is not reachable without that command having been issued.
Vulnerable versions/configurations
hostapd v0.7.0-v2.4 with CONFIG_WPS_UPNP=y in the build configuration (hostapd/.config) and upnp_iface parameter included in the runtime configuration.
wpa_supplicant v0.7.0-v2.4 with CONFIG_WPS_ER=y in the build configuration (wpa_supplicant/.config) and WPS ER functionality enabled at runtime with WPS_ER_START control interface command.
Suggestion: Update to hostapd/wpa_supplicant v2.5 or newer, once available
References:
http://seclists.org/oss-sec/2015/q2/595
http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt
CVE-2015-4142:
A vulnerability was found in WMM Action frame processing in a case where hostapd or wpa_supplicant is used to implement AP mode MLME/SME functionality (i.e., Host AP driver of a mac80211-based driver on Linux).
The AP mode WMM Action frame parser in hostapd/wpa_supplicant goes
through the variable length information element part with the length of
this area calculated by removing the header length from the total length
of the frame. The frame length is previously verified to be large enough
to include the IEEE 802.11 header, but the couple of additional bytes
after this header are not explicitly verified and as a result of this,
there may be an integer underflow that results in the signed integer
variable storing the length becoming negative. This negative value is
then interpreted as a very large unsigned integer length when parsing
the information elements. This results in a buffer read overflow and
process termination.
This vulnerability can be used to perform denial of service attacks by an attacker that is within radio range of the AP that uses hostapd of wpa_supplicant for MLME/SME operations.
Vulnerable versions/configurations
hostapd v0.5.5-v2.4 with CONFIG_DRIVER_HOSTAP=y or CONFIG_DRIVER_NL80211=y in the build configuration (hostapd/.config).
wpa_supplicant v0.7.0-v2.4 with CONFIG_AP=y or CONFIG_P2P=y and
CONFIG_DRIVER_HOSTAP=y or CONFIG_DRIVER_NL80211=y in the build
configuration (wpa_supplicant/.config) and AP (including P2P GO) mode
used at runtime.
Suggestion: Update to hostapd/wpa_supplicant v2.5 or newer, once available
References:
http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt
(from redmine: issue id 4269, created on 2015-06-04, closed on 2015-06-16)
- Relations:
- parent #4266 (closed)
- Changesets:
- Revision 3a936bc7 by Natanael Copa on 2015-06-15T11:51:54Z:
main/wpa_supplicant: various security fixes
CVE-2015-4141
CVE-2015-4142
CVE-2015-4143
CVE-2015-4144
CVE-2015-4145
CVE-2015-4146
fixes #4341
fixes #4269
- Revision 2b5198b4 by Natanael Copa on 2015-06-15T11:52:46Z:
main/hostapd: various security fixes
CVE-2015-4141
CVE-2015-4142
CVE-2015-4143
CVE-2015-4144
CVE-2015-4145
CVE-2015-4146
fixes #4336
fixes #4269
- Revision 8eeb852f by Natanael Copa on 2015-06-15T12:06:31Z:
main/hostapd: various security fixes
CVE-2015-4141
CVE-2015-4142
CVE-2015-4143
CVE-2015-4144
CVE-2015-4145
CVE-2015-4146
fixes #4337
fixes #4269