http://source.android.com/security/bulletin/2016-01-01.html

http://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt

DSA-3397

[oss-security] 20151110 wpa_supplicant unauthorized WNM Sleep Mode GTK control

77541

1034592

USN-2808-1

This update for wpa_supplicant fixes the following issues :

  - CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked     transfer encoding. (bnc#930077)

  - CVE-2015-4142: Integer underflow in AP mode WMM Action     frame processing. (bnc#930078)

  - CVE-2015-4143: EAP-pwd missing payload length     validation. (bnc#930079) 

  - CVE-2015-5310: Ignore Key Data in WNM Sleep Mode     Response frame if no PMF in use. (bsc#952254)

  - CVE-2015-8041: Fix payload length validation in NDEF     record parser. (bsc#937419)

This update was imported from the SUSE:SLE-12:Update update project.

This update for wpa_supplicant fixes the following issues :

  - CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked     transfer encoding. (bnc#930077)

  - CVE-2015-4142: Integer underflow in AP mode WMM Action     frame processing. (bnc#930078)

  - CVE-2015-4143: EAP-pwd missing payload length     validation. (bnc#930079)

  - CVE-2015-5310: Ignore Key Data in WNM Sleep Mode     Response frame if no PMF in use. (bsc#952254)

  - CVE-2015-8041: Fix payload length validation in NDEF     record parser. (bsc#937419)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jouni Malinen reports :

wpa_supplicant unauthorized WNM Sleep Mode GTK control. (2015-6 - CVE-2015-5310)

EAP-pwd missing last fragment length validation. (2015-7 - CVE-2015-5315)

EAP-pwd peer error path failure on unexpected Confirm message. (2015-8
- CVE-2015-5316)

It was discovered that wpa_supplicant incorrectly handled WMM Sleep Mode Response frame processing. A remote attacker could use this issue to perform broadcast/multicast packet injections, or cause a denial of service. (CVE-2015-5310)

It was discovered that wpa_supplicant and hostapd incorrectly handled certain EAP-pwd messages. A remote attacker could use this issue to cause a denial of service. (CVE-2015-5314, CVE-2015-5315)

It was discovered that wpa_supplicant incorrectly handled certain EAP-pwd Confirm messages. A remote attacker could use this issue to cause a denial of service. This issue only applied to Ubuntu 15.10.
(CVE-2015-5316).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in wpa_supplicant and hostapd. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2015-4141     Kostya Kortchinsky of the Google Security Team     discovered a vulnerability in the WPS UPnP function with     HTTP chunked transfer encoding which may result in a     denial of service.

  - CVE-2015-4142     Kostya Kortchinsky of the Google Security Team     discovered a vulnerability in the WMM Action frame     processing which may result in a denial of service.

  - CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146     Kostya Kortchinsky of the Google Security Team     discovered that EAP-pwd payload is not properly     validated which may result in a denial of service.

  - CVE-2015-5310     Jouni Malinen discovered a flaw in the WMM Sleep Mode     Response frame processing. A remote attacker can take     advantage of this flaw to mount a denial of service.

  - CVE-2015-5314 CVE-2015-5315     Jouni Malinen discovered a flaw in the handling of     EAP-pwd messages which may result in a denial of     service.

  - CVE-2015-5316     Jouni Malinen discovered a flaw in the handling of     EAP-pwd Confirm messages which may result in a denial of     service.

  - CVE-2015-8041     Incomplete WPS and P2P NFC NDEF record payload length     validation may result in a denial of service.

ID	Name	Product	Family	Severity
93700	openSUSE Security Update : wpa_supplicant (openSUSE-2016-1104)	Nessus	SuSE Local Security Checks	medium
93507	SUSE SLED12 / SLES12 Security Update : wpa_supplicant (SUSE-SU-2016:2305-1)	Nessus	SuSE Local Security Checks	medium
90568	FreeBSD : hostapd and wpa_supplicant -- multiple vulnerabilities (976567f6-05c5-11e6-94fa-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium
86848	Ubuntu 14.04 LTS / 15.04 / 15.10 : wpa vulnerabilities (USN-2808-1)	Nessus	Ubuntu Local Security Checks	medium
86833	Debian DSA-3397-1 : wpa - security update	Nessus	Debian Local Security Checks	medium

CVE-2015-5310

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

medium

medium

medium