CVE-2015-5314
published 2018-02-21CVE-2015-5314: The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the…
PriorityP428medium5.9CVSS 3.0
AVNACHPRNUINSUCNINAH
EPSS
2.30%
81.1th percentile
The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | wpa | < wpa 2.3-2.3 (bookworm) | wpa 2.3-2.3 (bookworm) |
| w1.fi | wpa_supplicant | >= 0 < 2.3-2.3 | 2.3-2.3 |
| w1.fi | wpa_supplicant | >= 0 < 2.3-2.3 | 2.3-2.3 |
| w1.fi | wpa_supplicant | >= 0 < 2.3-2.3 | 2.3-2.3 |
| w1.fi | wpa_supplicant | >= 0 < 2.3-2.3 | 2.3-2.3 |
| w1.fi | wpa_supplicant | >= 2.0 < 2.6 | 2.6 |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.9MEDIUM
vendor_debian5.9MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q29f-crhg-mxh3: The eap_pwd_process function in eap_server/eap_server_pwd
ghsa_unreviewed·2022-05-14
CVE-2015-5314 [MEDIUM] CWE-119 GHSA-q29f-crhg-mxh3: The eap_pwd_process function in eap_server/eap_server_pwd
The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
OSV
CVE-2015-5314: The eap_pwd_process function in eap_server/eap_server_pwd
osv·2018-02-21·CVSS 5.9
CVE-2015-5314 [MEDIUM] CVE-2015-5314: The eap_pwd_process function in eap_server/eap_server_pwd
The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
OSV
wpa vulnerabilities
osv·2015-11-10·CVSS 4.3
CVE-2015-5310 [MEDIUM] wpa vulnerabilities
wpa vulnerabilities
It was discovered that wpa_supplicant incorrectly handled WMM Sleep Mode
Response frame processing. A remote attacker could use this issue to
perform broadcast/multicast packet injections, or cause a denial of
service. (CVE-2015-5310)
It was discovered that wpa_supplicant and hostapd incorrectly handled
certain EAP-pwd messages. A remote attacker could use this issue to cause a
denial of service. (CVE-2015-5314, CVE-2015-5315)
It was discovered that wpa_supplicant incorrectly handled certain EAP-pwd
Confirm messages. A remote attacker could use this issue to cause a
denial of service. This issue only applied to Ubuntu 15.10. (CVE-2015-5316)
Ubuntu
wpa_supplicant and hostapd vulnerabilities
vendor_ubuntu·2015-11-10·CVSS 4.3
CVE-2015-5310 [MEDIUM] wpa_supplicant and hostapd vulnerabilities
Title: wpa_supplicant and hostapd vulnerabilities
Summary: Several security issues were fixed in wpa_supplicant and hostapd.
It was discovered that wpa_supplicant incorrectly handled WMM Sleep Mode
Response frame processing. A remote attacker could use this issue to
perform broadcast/multicast packet injections, or cause a denial of
service. (CVE-2015-5310)
It was discovered that wpa_supplicant and hostapd incorrectly handled
certain EAP-pwd messages. A remote attacker could use this issue to cause a
denial of service. (CVE-2015-5314, CVE-2015-5315)
It was discovered that wpa_supplicant incorrectly handled certain EAP-pwd
Confirm messages. A remote attacker could use this issue to cause a
denial of service. This issue only applied to Ubuntu 15.10. (CVE-2015-5316)
Instructions: After a
Debian
CVE-2015-5314: wpa - The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x befor...
vendor_debian·2015·CVSS 5.9
CVE-2015-5314 [MEDIUM] CVE-2015-5314: wpa - The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x befor...
The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
Scope: local
bookworm: resolved (fixed in 2.3-2.3)
bullseye: resolved (fixed in 2.3-2.3)
forky: resolved (fixed in 2.3-2.3)
sid: resolved (fixed in 2.3-2.3)
trixie: resolved (fixed in 2.3-2.3)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-5315 wpa_supplicant: EAP-pwd missing last fragment length validation
bugzilla·2015-11-05·CVSS 5.9
CVE-2015-5315 [MEDIUM] CVE-2015-5315 wpa_supplicant: EAP-pwd missing last fragment length validation
CVE-2015-5315 wpa_supplicant: EAP-pwd missing last fragment length validation
The following flaw was reported in hostapd:
A vulnerability was found in EAP-pwd server and peer implementation used in hostapd and wpa_supplicant, respectively. When an incoming EAP-pwd message is fragmented, the remaining reassembly buffer length was not checked for the last fragment (but was checked for other fragments). This allowed a suitably constructed last fragment frame to try to add extra data that would go beyond the buffer. The length validation code in wpabuf_put_data() prevents an actual buffer write overflow from occurring, but this results in process termination.
For wpa_supplicant with EAP-pwd enabled in a network configuration profile, this could allow a denial of service attack by an attacke
Bugzilla
CVE-2015-5314 hostapd: EAP-pwd missing last fragment length validation
bugzilla·2015-11-05·CVSS 5.9
CVE-2015-5314 [MEDIUM] CVE-2015-5314 hostapd: EAP-pwd missing last fragment length validation
CVE-2015-5314 hostapd: EAP-pwd missing last fragment length validation
The following flaw was reported in hostapd:
A vulnerability was found in EAP-pwd server and peer implementation used in hostapd and wpa_supplicant, respectively. When an incoming EAP-pwd message is fragmented, the remaining reassembly buffer length was not checked for the last fragment (but was checked for other fragments). This allowed a suitably constructed last fragment frame to try to add extra data that would go beyond the buffer. The length validation code in wpabuf_put_data() prevents an actual buffer write overflow from occurring, but this results in process termination.
For hostapd used with an internal EAP server and EAP-pwd enabled in the runtime configuration, this could allow a denial of service attack b
http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txthttp://www.openwall.com/lists/oss-security/2015/11/10/10http://www.ubuntu.com/usn/USN-2808-1https://www.debian.org/security/2015/dsa-3397http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txthttp://www.openwall.com/lists/oss-security/2015/11/10/10http://www.ubuntu.com/usn/USN-2808-1https://www.debian.org/security/2015/dsa-3397
2018-02-21
Published