FreeBSD : wpa_supplicant -- P2P SSID processing vulnerability (cb9d2fcd-eb47-11e4-b03e-002590263bf5)

medium Nessus Plugin ID 83082

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Jouni Malinen reports :

A vulnerability was found in how wpa_supplicant uses SSID information parsed from management frames that create or update P2P peer entries (e.g., Probe Response frame or number of P2P Public Action frames).
SSID field has valid length range of 0-32 octets. However, it is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets. wpa_supplicant was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device.

This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The SSID buffer is within struct p2p_device that is allocated from heap. The overflow can override couple of variables in the struct, including a pointer that gets freed. In addition about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation.

This could result in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to wpa_supplicant process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution.

Vulnerable versions/configurations

wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled (which is not compiled by default).

Attacker (or a system controlled by the attacker) needs to be within radio range of the vulnerable system to send a suitably constructed management frame that triggers a P2P peer device information to be created or updated.

The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress.

Solution

Update the affected package.

See Also

http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt

http://www.nessus.org/u?5faf263f

Plugin Details

Severity: Medium

ID: 83082

File Name: freebsd_pkg_cb9d2fcdeb4711e4b03e002590263bf5.nasl

Version: 2.5

Type: local

Published: 4/27/2015

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:wpa_supplicant, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 4/25/2015

Vulnerability Publication Date: 4/22/2015

Reference Information

CVE: CVE-2015-1863