[Secure-testing-team] Bug#783148: wpa: CVE-2015-1863: wpa_supplicant P2P SSID processing vulnerability

Salvatore Bonaccorso carnil at debian.org
Wed Apr 22 20:57:22 UTC 2015 

Source: wpa
Version: 2.3-1
Severity: grave
Tags: security upstream patch
Justification: user security hole

Hi,

the following vulnerability was published for wpa.

CVE-2015-1863[0]:
| P2P SSID processing vulnerability:
| A vulnerability was found in how wpa_supplicant uses SSID information
| parsed from management frames that create or update P2P peer entries
| (e.g., Probe Response frame or number of P2P Public Action frames). SSID
| field has valid length range of 0-32 octets. However, it is transmitted
| in an element that has a 8-bit length field and potential maximum
| payload length of 255 octets. wpa_supplicant was not sufficiently
| verifying the payload length on one of the code paths using the SSID
| received from a peer device.
|
| This can result in copying arbitrary data from an attacker to a fixed
| length buffer of 32 bytes (i.e., a possible overflow of up to 223
| bytes). The SSID buffer is within struct p2p_device that is allocated
| from heap. The overflow can override couple of variables in the struct,
| including a pointer that gets freed. In addition about 150 bytes (the
| exact length depending on architecture) can be written beyond the end of
| the heap allocation.
|
| This could result in corrupted state in heap, unexpected program
| behavior due to corrupted P2P peer device information, denial of service
| due to wpa_supplicant process crash, exposure of memory contents during
| GO Negotiation, and potentially arbitrary code execution.
|
| Vulnerable versions/configurations
|
| wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled
|
| Attacker (or a system controlled by the attacker) needs to be within
| radio range of the vulnerable system to send a suitably constructed
| management frame that triggers a P2P peer device information to be
| created or updated.
|
| The vulnerability is easiest to exploit while the device has started an
| active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
| interface command in progress). However, it may be possible, though
| significantly more difficult, to trigger this even without any active
| P2P operation in progress.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-1863
[1] http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt
[2] http://w1.fi/security/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch

Regards,
Salvatore

More information about the Secure-testing-team mailing list