exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hostapd Missing EAP-TLS Message Length Validation

Hostapd Missing EAP-TLS Message Length Validation
Posted Oct 8, 2012
Authored by Timo Warns | Site pre-cert.de

Hostapd versions 0.6 through 1.0 fail to validation EAP-TLS message length allowing for a possible denial of service condition.

tags | advisory, denial of service
advisories | CVE-2012-4445
SHA-256 | a0941ae5fb0105278f2f227f2f8eeb6cb5597abe9be8c07f467d7e20a835d576

Hostapd Missing EAP-TLS Message Length Validation

Change Mirror Download
PRE-CERT Security Advisory
==========================

* Advisory: PRE-SA-2012-07
* Released on: 8 October 2012
* Affected product: Hostapd 0.6 - 1.0
* Impact: denial of service
* Origin: specially crafted EAP-TLS messages
* CVSS Base Score: 7.8
Impact Subscore: 6.9
Exploitability Subscore: 10
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-4445


Summary
-------

The internal EAP authentication server of hostapd does not sufficiently
validate the message length field of EAP-TLS messages, which can be
exploited for a denial-of-service via specially crafted EAP-TLS messages
(before authentication).

Hostapd has a function eap_server_tls_process_fragment() used by its
internal EAP authentication server for handling fragmented EAP-TLS
messages. The function (indirectly) calls wpabuf_overflow() aborting
the application in case of potential buffer overflows. Such a situation
can be triggered by an attacker sending an EAP-TLS message with

a) the "More Fragments" flag set and
b) an "TLS Message Length" value that is smaller than the size of
the "TLS Data" field.

The vulnerability can be exploited only if hostapd is configured to use
its internal EAP authentication server, either directly for IEEE 802.11x
or when using hostapd as a RADIUS authentication server.

Affected is hostapd in versions 0.6 - 1.0. The issue was introduced with
commit
http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=34f564dbd5168626da55a7119b04832e98793160


Solution
--------

A patch is available at
http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=586c446e0ff42ae00315b014924ec669023bd8de


References
----------

When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2012-07.txt


Contact
--------

PRE-CERT can be reached under precert@pre-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.


Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close