CVE-2015-5315
published 2018-02-21CVE-2015-5315: The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final…
PriorityP428medium5.9CVSS 3.0
AVNACHPRNUINSUCNINAH
EPSS
2.55%
83.1th percentile
The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when EAP-pwd is enabled in a network configuration profile, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | wpa | < wpa 2.3-2.3 (bookworm) | wpa 2.3-2.3 (bookworm) |
| w1.fi | wpa_supplicant | >= 0 < 2.3-2.3 | 2.3-2.3 |
| w1.fi | wpa_supplicant | >= 0 < 2.3-2.3 | 2.3-2.3 |
| w1.fi | wpa_supplicant | >= 0 < 2.3-2.3 | 2.3-2.3 |
| w1.fi | wpa_supplicant | >= 0 < 2.3-2.3 | 2.3-2.3 |
| w1.fi | wpa_supplicant | >= 2.0 < 2.6 | 2.6 |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.9MEDIUM
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
wpa_supplicant: EAP-pwd missing last fragment length validation
vendor_redhat·2015-11-10·CVSS 5.9
CVE-2015-5315 [MEDIUM] CWE-20 wpa_supplicant: EAP-pwd missing last fragment length validation
wpa_supplicant: EAP-pwd missing last fragment length validation
The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when EAP-pwd is enabled in a network configuration profile, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
Statement: Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6, and 7.
Package: wpa_supplicant (Red Hat Enterprise Linux 5) - Not affected
Package: wpa_supplicant (Red Hat Enterprise Linux 6) - Not affected
Package: wpa_supplicant (Red Hat Enterprise Linux 7) - Not affected
Ubuntu
wpa_supplicant and hostapd vulnerabilities
vendor_ubuntu·2015-11-10·CVSS 4.3
CVE-2015-5310 [MEDIUM] wpa_supplicant and hostapd vulnerabilities
Title: wpa_supplicant and hostapd vulnerabilities
Summary: Several security issues were fixed in wpa_supplicant and hostapd.
It was discovered that wpa_supplicant incorrectly handled WMM Sleep Mode
Response frame processing. A remote attacker could use this issue to
perform broadcast/multicast packet injections, or cause a denial of
service. (CVE-2015-5310)
It was discovered that wpa_supplicant and hostapd incorrectly handled
certain EAP-pwd messages. A remote attacker could use this issue to cause a
denial of service. (CVE-2015-5314, CVE-2015-5315)
It was discovered that wpa_supplicant incorrectly handled certain EAP-pwd
Confirm messages. A remote attacker could use this issue to cause a
denial of service. This issue only applied to Ubuntu 15.10. (CVE-2015-5316)
Instructions: After a
Debian
CVE-2015-5315: wpa - The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before ...
vendor_debian·2015·CVSS 5.9
CVE-2015-5315 [MEDIUM] CVE-2015-5315: wpa - The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before ...
The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when EAP-pwd is enabled in a network configuration profile, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
Scope: local
bookworm: resolved (fixed in 2.3-2.3)
bullseye: resolved (fixed in 2.3-2.3)
forky: resolved (fixed in 2.3-2.3)
sid: resolved (fixed in 2.3-2.3)
trixie: resolved (fixed in 2.3-2.3)
GHSA
GHSA-qmc2-8wcw-c6p2: The eap_pwd_process function in eap_peer/eap_pwd
ghsa_unreviewed·2022-05-14
CVE-2015-5315 [MEDIUM] CWE-119 GHSA-qmc2-8wcw-c6p2: The eap_pwd_process function in eap_peer/eap_pwd
The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when EAP-pwd is enabled in a network configuration profile, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
OSV
CVE-2015-5315: The eap_pwd_process function in eap_peer/eap_pwd
osv·2018-02-21·CVSS 5.9
CVE-2015-5315 [MEDIUM] CVE-2015-5315: The eap_pwd_process function in eap_peer/eap_pwd
The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when EAP-pwd is enabled in a network configuration profile, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
OSV
wpa vulnerabilities
osv·2015-11-10·CVSS 4.3
CVE-2015-5310 [MEDIUM] wpa vulnerabilities
wpa vulnerabilities
It was discovered that wpa_supplicant incorrectly handled WMM Sleep Mode
Response frame processing. A remote attacker could use this issue to
perform broadcast/multicast packet injections, or cause a denial of
service. (CVE-2015-5310)
It was discovered that wpa_supplicant and hostapd incorrectly handled
certain EAP-pwd messages. A remote attacker could use this issue to cause a
denial of service. (CVE-2015-5314, CVE-2015-5315)
It was discovered that wpa_supplicant incorrectly handled certain EAP-pwd
Confirm messages. A remote attacker could use this issue to cause a
denial of service. This issue only applied to Ubuntu 15.10. (CVE-2015-5316)
No detection rules found.
Bugzilla
CVE-2015-5315 wpa_supplicant: EAP-pwd missing last fragment length validation
bugzilla·2015-11-05·CVSS 5.9
CVE-2015-5315 [MEDIUM] CVE-2015-5315 wpa_supplicant: EAP-pwd missing last fragment length validation
CVE-2015-5315 wpa_supplicant: EAP-pwd missing last fragment length validation
The following flaw was reported in hostapd:
A vulnerability was found in EAP-pwd server and peer implementation used in hostapd and wpa_supplicant, respectively. When an incoming EAP-pwd message is fragmented, the remaining reassembly buffer length was not checked for the last fragment (but was checked for other fragments). This allowed a suitably constructed last fragment frame to try to add extra data that would go beyond the buffer. The length validation code in wpabuf_put_data() prevents an actual buffer write overflow from occurring, but this results in process termination.
For wpa_supplicant with EAP-pwd enabled in a network configuration profile, this could allow a denial of service attack by an attacke
Bugzilla
CVE-2015-5314 hostapd: EAP-pwd missing last fragment length validation
bugzilla·2015-11-05·CVSS 5.9
CVE-2015-5314 [MEDIUM] CVE-2015-5314 hostapd: EAP-pwd missing last fragment length validation
CVE-2015-5314 hostapd: EAP-pwd missing last fragment length validation
The following flaw was reported in hostapd:
A vulnerability was found in EAP-pwd server and peer implementation used in hostapd and wpa_supplicant, respectively. When an incoming EAP-pwd message is fragmented, the remaining reassembly buffer length was not checked for the last fragment (but was checked for other fragments). This allowed a suitably constructed last fragment frame to try to add extra data that would go beyond the buffer. The length validation code in wpabuf_put_data() prevents an actual buffer write overflow from occurring, but this results in process termination.
For hostapd used with an internal EAP server and EAP-pwd enabled in the runtime configuration, this could allow a denial of service attack b
http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txthttp://www.openwall.com/lists/oss-security/2015/11/10/10http://www.ubuntu.com/usn/USN-2808-1https://www.debian.org/security/2015/dsa-3397http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txthttp://www.openwall.com/lists/oss-security/2015/11/10/10http://www.ubuntu.com/usn/USN-2808-1https://www.debian.org/security/2015/dsa-3397
2018-02-21
Published