CVE-2019-11555
published 2019-04-26CVE-2019-11555: The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state…
PriorityP430medium5.9CVSS 3.0
AVNACHPRNUINSUCNINAH
EPSS
3.25%
86.8th percentile
The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wpa | < wpa 2:2.7+git20190128+0c1e29f-5 (bookworm) | wpa 2:2.7+git20190128+0c1e29f-5 (bookworm) |
| w1.fi | hostapd | < 2.8 | 2.8 |
| w1.fi | wpa_supplicant | < 2.8 | 2.8 |
| w1.fi | wpa_supplicant | >= 0 < 2:2.7+git20190128+0c1e29f-5 | 2:2.7+git20190128+0c1e29f-5 |
| w1.fi | wpa_supplicant | >= 0 < 2:2.7+git20190128+0c1e29f-5 | 2:2.7+git20190128+0c1e29f-5 |
| w1.fi | wpa_supplicant | >= 0 < 2:2.7+git20190128+0c1e29f-5 | 2:2.7+git20190128+0c1e29f-5 |
| w1.fi | wpa_supplicant | >= 0 < 2:2.7+git20190128+0c1e29f-5 | 2:2.7+git20190128+0c1e29f-5 |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.9MEDIUM
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-19:03.wpa: Multiple vulnerabilities in hostapd and wpa_supplicant
bsd_advisories·2019-05-14·CVSS 5.9
CVE-2019-11555 [MEDIUM] FreeBSD-SA-19:03.wpa: Multiple vulnerabilities in hostapd and wpa_supplicant
FreeBSD-SA-19:03.wpa Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in hostapd and wpa_supplicant
Category: contrib
Module: wpa
Announced: 2019-05-14
Affects: All supported versions of FreeBSD.
Corrected: 2019-05-01 01:42:38 UTC (stable/12, 12.0-STABLE)
2019-05-14 22:57:29 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-05-01 01:43:17 UTC (stable/11, 11.2-STABLE)
2019-05-14 22:59:32 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name: CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497,
CVE-2019-9498, CVE-2019-9499, CVE-2019-11555
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Wi-Fi Protected Access II (WPA2) is a security protocol deve
Ubuntu
wpa_supplicant and hostapd vulnerability
vendor_ubuntu·2019-05-09
CVE-2019-11555 wpa_supplicant and hostapd vulnerability
Title: wpa_supplicant and hostapd vulnerability
Summary: wpa_supplicant and hostapd could be made to crash if they received
specially crafted network traffic.
USN-3969-1 fixed a vulnerability in wpa_supplicant and hostapd. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that wpa_supplicant and hostapd incorrectly handled
unexpected fragments when using EAP-pwd. A remote attacker could possibly
use this issue to cause a denial of service.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
wpa_supplicant and hostapd vulnerability
vendor_ubuntu·2019-05-07
CVE-2019-11555 wpa_supplicant and hostapd vulnerability
Title: wpa_supplicant and hostapd vulnerability
Summary: wpa_supplicant and hostapd could be made to crash if they received
specially crafted network traffic.
It was discovered that wpa_supplicant and hostapd incorrectly handled
unexpected fragments when using EAP-pwd. A remote attacker could possibly
use this issue to cause a denial of service.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation
vendor_redhat·2019-04-18·CVSS 5.9
CVE-2019-11555 [MEDIUM] CWE-476 wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation
wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation
The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.
Statement: This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, and 6 as they did not include support for EAP-pwd.
This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 7, and 8 as they are not compil
Debian
CVE-2019-11555: wpa - The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant...
vendor_debian·2019·CVSS 5.9
CVE-2019-11555 [MEDIUM] CVE-2019-11555: wpa - The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant...
The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.
Scope: local
bookworm: resolved (fixed in 2:2.7+git20190128+0c1e29f-5)
bullseye: resolved (fixed in 2:2.7+git20190128+0c1e29f-5)
forky: resolved (fixed in 2:2.7+git20190128+0c1e29f-5)
sid: resolved (fixed in 2:2.7+git20190128+0c1e29f-5)
trixie: resolved (fixed in 2:2.7+git20190128+0c1e29f-5)
GHSA
GHSA-3r3j-9m7c-h35g: The EAP-pwd implementation in hostapd (EAP server) before 2
ghsa_unreviewed·2022-05-24
CVE-2019-11555 [MEDIUM] CWE-476 GHSA-3r3j-9m7c-h35g: The EAP-pwd implementation in hostapd (EAP server) before 2
The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.
OSV
CVE-2019-11555: The EAP-pwd implementation in hostapd (EAP server) before 2
osv·2019-04-26·CVSS 5.9
CVE-2019-11555 [MEDIUM] CVE-2019-11555: The EAP-pwd implementation in hostapd (EAP server) before 2
The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-11555 hostapd: wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation [epel-all]
bugzilla·2019-05-22·CVSS 5.9
CVE-2019-11555 [MEDIUM] CVE-2019-11555 hostapd: wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation [epel-all]
CVE-2019-11555 hostapd: wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and
Bugzilla
CVE-2019-11555 hostapd: wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation [fedora-all]
bugzilla·2019-05-22·CVSS 5.9
CVE-2019-11555 [MEDIUM] CVE-2019-11555 hostapd: wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation [fedora-all]
CVE-2019-11555 hostapd: wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog
Bugzilla
CVE-2019-11555 wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation [fedora-all]
bugzilla·2019-04-26·CVSS 5.9
CVE-2019-11555 [MEDIUM] CVE-2019-11555 wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation [fedora-all]
CVE-2019-11555 wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
f
Bugzilla
CVE-2019-11555 wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation
bugzilla·2019-04-26·CVSS 5.9
CVE-2019-11555 [MEDIUM] CVE-2019-11555 wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation
CVE-2019-11555 wpa_supplicant: NULL pointer dereference due to improper fragmentation reassembly state validation in EAP-pwd implementation
EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) was discovered not to validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to NULL pointer dereference.
Discussion:
Created wpa_supplicant tracking bugs for this issue:
Affects: fedora-all [bug 1703418]
---
References:
https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt
---
Upstream patches:
https://w1.fi/cgit/hostap/commit/?id=d2d1a324ce937628e4d9d9999fe113819b7d4478
https://w1.fi/cgit/hostap/commit/?id=fe76f487e28bdc61940f304f153
arXiv
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
arxiv_fulltext·2022-12-29
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
## Abstract
Currently, the development of IoT firmware heavily depends on third-party components (TPCs) to improve development efficiency. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will influence the security of IoT firmware. Existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement , which leverages syntactical features and control-flow graph features to detect the TPCs in firmware, and then recognizes the corresponding vulnerabilities. Based on , we present the first l
http://www.openwall.com/lists/oss-security/2019/04/26/1https://lists.debian.org/debian-lts-announce/2019/07/msg00030.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5T7G763UECWR7FQXOJVL67PW7C5A3SA4/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DJKZHAT5KPUN26JL77EUH563GAH5XZ5C/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IQ6P2GI5GSXRNLNIUNPARFZQVDEIGVZD/https://seclists.org/bugtraq/2019/May/40https://seclists.org/bugtraq/2019/May/64https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.aschttps://security.gentoo.org/glsa/201908-25https://usn.ubuntu.com/3969-1/https://usn.ubuntu.com/3969-2/https://w1.fi/security/2019-5/https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txthttps://www.debian.org/security/2019/dsa-4450https://www.openwall.com/lists/oss-security/2019/04/18/6http://www.openwall.com/lists/oss-security/2019/04/26/1https://lists.debian.org/debian-lts-announce/2019/07/msg00030.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5T7G763UECWR7FQXOJVL67PW7C5A3SA4/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DJKZHAT5KPUN26JL77EUH563GAH5XZ5C/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IQ6P2GI5GSXRNLNIUNPARFZQVDEIGVZD/https://seclists.org/bugtraq/2019/May/40https://seclists.org/bugtraq/2019/May/64https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.aschttps://security.gentoo.org/glsa/201908-25https://usn.ubuntu.com/3969-1/https://usn.ubuntu.com/3969-2/https://w1.fi/security/2019-5/https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txthttps://www.debian.org/security/2019/dsa-4450https://www.openwall.com/lists/oss-security/2019/04/18/6
2019-04-26
Published