The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not clear the L (Length) and M (More) flags before determining if a response should be fragmented, which allows remote attackers to cause a denial of service (crash) via a crafted message.

The remote host is affected by the vulnerability described in GLSA-201606-17 (hostapd and wpa_supplicant: Multiple vulnerabilities)

    Multiple vulnerabilities exist in both hostapd and wpa_supplicant.
      Please review the CVE identifiers for more information.
  Impact :

    Remote attackers could execute arbitrary code with the privileges of the       process or cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities have been discovered in wpa_supplicant and hostapd. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2015-4141     Kostya Kortchinsky of the Google Security Team     discovered a vulnerability in the WPS UPnP function with     HTTP chunked transfer encoding which may result in a     denial of service.

  - CVE-2015-4142     Kostya Kortchinsky of the Google Security Team     discovered a vulnerability in the WMM Action frame     processing which may result in a denial of service.

  - CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146     Kostya Kortchinsky of the Google Security Team     discovered that EAP-pwd payload is not properly     validated which may result in a denial of service.

  - CVE-2015-5310     Jouni Malinen discovered a flaw in the WMM Sleep Mode     Response frame processing. A remote attacker can take     advantage of this flaw to mount a denial of service.

  - CVE-2015-5314 CVE-2015-5315     Jouni Malinen discovered a flaw in the handling of     EAP-pwd messages which may result in a denial of     service.

  - CVE-2015-5316     Jouni Malinen discovered a flaw in the handling of     EAP-pwd Confirm messages which may result in a denial of     service.

  - CVE-2015-8041     Incomplete WPS and P2P NFC NDEF record payload length     validation may result in a denial of service.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2650-1 advisory.

    Kostya Kortchinsky discovered multiple flaws in wpa_supplicant and hostapd. A remote attacker could use     these issues to cause wpa_supplicant or hostapd to crash, resulting in a denial of service.
    (CVE-2015-4141, CVE-2015-4142, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Jouni Malinen reports :

WPS UPnP vulnerability with HTTP chunked transfer encoding. (2015-2 - CVE-2015-4141)

Integer underflow in AP mode WMM Action frame processing. (2015-3 - CVE-2015-4142)

EAP-pwd missing payload length validation. (2015-4 - CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)

ID	Name	Product	Family	Severity
91862	GLSA-201606-17 : hostapd and wpa_supplicant: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
86833	Debian DSA-3397-1 : wpa - security update	Nessus	Debian Local Security Checks	medium
84230	Ubuntu 14.04 LTS : wpa_supplicant and hostapd vulnerabilities (USN-2650-1)	Nessus	Ubuntu Local Security Checks	high
83964	FreeBSD : hostapd and wpa_supplicant -- multiple vulnerabilities (bbc0db92-084c-11e5-bb90-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2015-4146

high

Tenable Plugins

medium

medium

high

medium