[arch-security] [ASA-201504-29] wpa_supplicant: arbitrary code execution

Remi Gacogne rgacogne at archlinux.org
Fri Apr 24 20:08:01 UTC 2015 

Arch Linux Security Advisory ASA-201504-29
==========================================

Severity: Critical
Date    : 2015-04-24
CVE-ID  : CVE-2015-1863
Package : wpa_supplicant
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package wpa_supplicant before version 2.4-1 is vulnerable to denial
of service, leak of sensitive information and potentially arbitrary code
execution.

Resolution
==========

Upgrade to 2.4-1.

# pacman -Syu "wpa_supplicant>=2.4-1"

The problem has been fixed upstream but an updated version has not been
released yet.

Workaround
==========

This issue can be mitigated by disabling the P2P feature support in the
/etc/wpa_supplicant/wpa_supplicant.conf configuration file.
Either "P2P_SET disabled 1" or "p2p_disabled=1" should be set for each
interface used.

Description
===========

A vulnerability was found in how wpa_supplicant uses SSID information
parsed from management frames that create or update P2P peer entries
(e.g., Probe Response frame or number of P2P Public Action frames). SSID
field has valid length range of 0-32 octets. However, it is transmitted
in an element that has a 8-bit length field and potential maximum
payload length of 255 octets. wpa_supplicant was not sufficiently
verifying the payload length on one of the code paths using the SSID
received from a peer device.

This can result in copying arbitrary data from an attacker to a fixed
length buffer of 32 bytes (i.e., a possible overflow of up to 223
bytes). The SSID buffer is within struct p2p_device that is allocated
from heap. The overflow can override couple of variables in the struct,
including a pointer that gets freed. In addition about 150 bytes (the
exact length depending on architecture) can be written beyond the end of
the heap allocation.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to wpa_supplicant process crash, exposure of memory contents during
GO Negotiation, and potentially arbitrary code execution.

Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a suitably constructed
management frame that triggers a P2P peer device information to be
created or updated.

The vulnerability is easiest to exploit while the device has started an
active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
interface command in progress). However, it may be possible, though
significantly more difficult, to trigger this even without any active
P2P operation in progress.

Impact
======

A remote attacker within radio range may be able to cause a denial of
service, read arbitrary memory or execute arbitrary code.

References
==========

https://access.redhat.com/security/cve/CVE-2015-1863
http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt
https://bugs.archlinux.org/task/44695

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150424/7d501e75/attachment.asc>

More information about the arch-security mailing list