lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20121008125657.GA23154@pre-sense.de>
Date: Mon, 8 Oct 2012 14:56:57 +0200
From: Timo Warns <Warns@...-Sense.DE>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [PRE-SA-2012-07] hostapd: Missing EAP-TLS message
	length validation

PRE-CERT Security Advisory
==========================

* Advisory: PRE-SA-2012-07
* Released on: 8 October 2012
* Affected product: Hostapd 0.6 - 1.0
* Impact: denial of service
* Origin: specially crafted EAP-TLS messages
* CVSS Base Score: 7.8
    Impact Subscore: 6.9
    Exploitability Subscore: 10
  CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-4445


Summary
-------

The internal EAP authentication server of hostapd does not sufficiently
validate the message length field of EAP-TLS messages, which can be
exploited for a denial-of-service via specially crafted EAP-TLS messages
(before authentication).

Hostapd has a function eap_server_tls_process_fragment() used by its
internal EAP authentication server for handling fragmented EAP-TLS
messages. The function (indirectly) calls wpabuf_overflow() aborting
the application in case of potential buffer overflows. Such a situation
can be triggered by an attacker sending an EAP-TLS message with

    a) the "More Fragments" flag set and
    b) an "TLS Message Length" value that is smaller than the size of
       the "TLS Data" field.

The vulnerability can be exploited only if hostapd is configured to use
its internal EAP authentication server, either directly for IEEE 802.11x
or when using hostapd as a RADIUS authentication server. 

Affected is hostapd in versions 0.6 - 1.0. The issue was introduced with
commit
http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=34f564dbd5168626da55a7119b04832e98793160


Solution
--------

A patch is available at
http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=586c446e0ff42ae00315b014924ec669023bd8de


References
----------

When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2012-07.txt


Contact
--------

PRE-CERT can be reached under precert@...-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ