-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 PRE-CERT Security Advisory ========================== * Advisory: PRE-SA-2012-07 * Released on: 8 October 2012 * Affected product: Hostapd 0.6 - 1.0 * Impact: denial of service * Origin: specially crafted EAP-TLS messages * CVSS Base Score: 7.8 Impact Subscore: 6.9 Exploitability Subscore: 10 CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C) * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2012-4445 Summary - ------- The internal EAP authentication server of hostapd does not sufficiently validate the message length field of EAP-TLS messages, which can be exploited for a denial-of-service via specially crafted EAP-TLS messages (before authentication). Hostapd has a function eap_server_tls_process_fragment() used by its internal EAP authentication server for handling fragmented EAP-TLS messages. The function (indirectly) calls wpabuf_overflow() aborting the application in case of potential buffer overflows. Such a situation can be triggered by an attacker sending an EAP-TLS message with a) the "More Fragments" flag set and b) an "TLS Message Length" value that is smaller than the size of the "TLS Data" field. The vulnerability can be exploited only if hostapd is configured to use its internal EAP authentication server, either directly for IEEE 802.11x or when using hostapd as a RADIUS authentication server. Affected is hostapd in versions 0.6 - 1.0. The issue was introduced with commit http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=34f564dbd5168626da55a7119b04832e98793160 Solution - -------- A patch is available at http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=586c446e0ff42ae00315b014924ec669023bd8de References - ---------- When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2012-07.txt Contact - -------- PRE-CERT can be reached under precert@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iQEcBAEBCAAGBQJQcszeAAoJEI9qFXJ0Ecg6PJcIAKiCs2lF4LOCf9W5aJblAZ5Z ftiWp4qSvmty1a3OJ9J4of1wmZeD9Bt116bTO/DGUNCoC5nF4UdAXpRY0fT1H/NZ OICx0wAA8F1oLGRzohTVdbss6Y2GJ6B0XMjyNaKfCL8xHQQ4VYzEYvoG5OcPwsyZ uC2JSnxiLDQemYlTeqM2P4Qz6GzHd4FkM+DOdsXrLe3NVT2H7JD1Xdt/kxiA78Li QWy7/lpsmnIxvgTLqOVyRw514sD8hOkvQ0QHhzM7MMHdmE3beZfADqpeu24ufseu Y7J9dDQW/rhp4KX4+pO1/R9v4Bj00lXQZP/4htsFrzTuQxnOKgJIFxibX8Mt5Zk= =LWwD -----END PGP SIGNATURE-----