Bugzilla – Bug 930077
VUL-0: CVE-2015-4141: wpa_supplicant: WPS UPnP vulnerability with HTTP chunked transfer encoding
Last modified: 2020-11-27 11:18:42 UTC
Created attachment 633609 [details] advisory patch http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt WPS UPnP vulnerability with HTTP chunked transfer encoding Published: May 4, 2015 Latest version available from: http://w1.fi/security/2015-2/ Vulnerability A vulnerability was found in the WPS UPnP function shared by hostapd (WPS AP) and wpa_supplicant (WPS external registrar). The HTTP implementation used for the UPnP operations uses a signed integer for storing the length of a HTTP chunk when the chunked transfer encoding and may end up using a negative value when the chunk length is indicated as 0x8000000 or longer. The length validation steps do not handle the negative value properly and may end up accepting the length and passing a negative value to the memcpy when copying the received data from a stack buffer to a heap buffer allocated for the full request. This results in stack buffer read overflow and heap buffer write overflow. Taken into account both hostapd and wpa_supplicant use only a single thread, the memcpy call with a negative length value results in heap corruption, but due to the negative parameter being interpreted as a huge positive integer, process execution terminates in practice before being able to run any following operations with the corrupted heap. This may allow a possible denial of service attack through hostapd/wpa_supplicant process termination under certain conditions. WPS UPnP operations are performed over a trusted IP network connection, i.e., an attack against this vulnerability requires the attacker to have access to the IP network. In addition, this requires the WPS UPnP functionality to be enabled at runtime. For WPS AP (hostapd) with a wired network connectivity, this is commonly enabled. For WPS station (wpa_supplicant) WPS UPnP functionality is used only when WPS ER functionality has been enabled at runtime (WPS_ER_START command issued over the control interface). The vulnerable functionality is not reachable without that command having been issued. Vulnerable versions/configurations hostapd v0.7.0-v2.4 with CONFIG_WPS_UPNP=y in the build configuration (hostapd/.config) and upnp_iface parameter included in the runtime configuration. wpa_supplicant v0.7.0-v2.4 with CONFIG_WPS_ER=y in the build configuration (wpa_supplicant/.config) and WPS ER functionality enabled at runtime with WPS_ER_START control interface command. Acknowledgments Thanks to Kostya Kortchinsky of Google Security Team for discovering and reporting this issue. Possible mitigation steps - Merge the following commit and rebuild hostapd/wpa_supplicant: WPS: Fix HTTP chunked transfer encoding parser This patch is available from http://w1.fi/security/2015-2/ - Update to hostapd/wpa_supplicant v2.5 or newer, once available - Disable WPS UPnP in hostapd runtime configuration (remove the upnp_iface parameter from the configuration file) - Do not enable WPS ER at runtime in wpa_supplicant (WPS_ER_START control interface command) - Disable WPS UPnP/ER from the build (remove CONFIG_WPS_UPNP=y from hostapd/.config and CONFIG_WPS_ER=y from wpa_supplicant/.config)
sle11-sp2 submitted
created request id 57202 (target SUSE:Maintenance:453)
bugbot adjusting priority
mr 13.1: created request id Request: #305846 mr 13.2: created request id Request: #305847
created request id 305848 (for devel project hardware for factory)
This is an autogenerated message for OBS integration: This bug (930077) was mentioned in https://build.opensuse.org/request/show/305846 13.1 / wpa_supplicant https://build.opensuse.org/request/show/305847 13.2 / wpa_supplicant
CVE-2015-4141 was assigned to this issue.
openSUSE-SU-2015:1030-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143 Sources used: openSUSE 13.2 (src): wpa_supplicant-2.2-5.7.1 openSUSE 13.1 (src): wpa_supplicant-2.0-3.14.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-07-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62176
This is an autogenerated message for OBS integration: This bug (930077) was mentioned in https://build.opensuse.org/request/show/345591 Factory / hostapd
SUSE-SU-2015:2221-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 930077,930078 CVE References: CVE-2015-4141,CVE-2015-4142 Sources used: SUSE Linux Enterprise Server for VMWare 11-SP3 (src): wpa_supplicant-0.7.1-6.17.4 SUSE Linux Enterprise Server 11-SP4 (src): wpa_supplicant-0.7.1-6.17.4 SUSE Linux Enterprise Server 11-SP3 (src): wpa_supplicant-0.7.1-6.17.4 SUSE Linux Enterprise Desktop 11-SP4 (src): wpa_supplicant-0.7.1-6.17.4 SUSE Linux Enterprise Desktop 11-SP3 (src): wpa_supplicant-0.7.1-6.17.4
SUSE-SU-2016:2305-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 930077,930078,930079,937419,952254 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-5310,CVE-2015-8041 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): wpa_supplicant-2.2-14.2 SUSE Linux Enterprise Desktop 12-SP1 (src): wpa_supplicant-2.2-14.2
openSUSE-SU-2016:2357-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 930077,930078,930079,937419,952254 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-5310,CVE-2015-8041 Sources used: openSUSE Leap 42.1 (src): wpa_supplicant-2.2-8.1
fixed
openSUSE-SU-2017:2896-1: An update that fixes 14 vulnerabilities is now available. Category: security (important) Bug References: 1063479,930077,930078,930079 CVE References: CVE-2015-1863,CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-4144,CVE-2015-4145,CVE-2015-5314,CVE-2016-4476,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13087,CVE-2017-13088 Sources used: openSUSE Leap 42.3 (src): hostapd-2.6-8.1 openSUSE Leap 42.2 (src): hostapd-2.6-5.3.1
SUSE-SU-2020:3380-1: An update that fixes 22 vulnerabilities, contains one feature is now available. Category: security (moderate) Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499 JIRA References: SLE-14992 Sources used: SUSE Linux Enterprise Server for SAP 15 (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise Server 15-LTSS (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): wpa_supplicant-2.9-4.20.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): wpa_supplicant-2.9-4.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:2053-1: An update that fixes 22 vulnerabilities is now available. Category: security (moderate) Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499 JIRA References: Sources used: openSUSE Leap 15.1 (src): wpa_supplicant-2.9-lp151.5.10.1
openSUSE-SU-2020:2059-1: An update that fixes 22 vulnerabilities is now available. Category: security (moderate) Bug References: 1131644,1131868,1131870,1131871,1131872,1131874,1133640,1144443,1150934,1156920,1166933,1167331,930077,930078,930079 CVE References: CVE-2015-4141,CVE-2015-4142,CVE-2015-4143,CVE-2015-8041,CVE-2017-13077,CVE-2017-13078,CVE-2017-13079,CVE-2017-13080,CVE-2017-13081,CVE-2017-13082,CVE-2017-13086,CVE-2017-13087,CVE-2017-13088,CVE-2018-14526,CVE-2019-11555,CVE-2019-13377,CVE-2019-16275,CVE-2019-9494,CVE-2019-9495,CVE-2019-9497,CVE-2019-9498,CVE-2019-9499 JIRA References: Sources used: openSUSE Leap 15.2 (src): wpa_supplicant-2.9-lp152.8.3.1