SB2016062710 - Gentoo update for hostapd and wpa_supplicant

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2014-3686)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

wpa_supplicant and hostapd 0.7.2 through 2.2, when running with certain configurations and using wpa_cli or hostapd_cli with action scripts, allows remote attackers to execute arbitrary commands via a crafted frame.

2) Heap-based buffer overflow (CVE-ID: CVE-2015-1863)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4. A remote attacker can use crafted SSID information in a management frame when creating or updating P2P entries. to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Heap-based buffer overflow (CVE-ID: CVE-2015-4141)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant, when using WPS external registrar (ER), 0.7.0 through 2.4. A remote attacker can use a negative chunk length to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

4) Buffer overflow (CVE-ID: CVE-2015-4142)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Integer underflow in the WMM Action frame parser in hostapd 0.5.5 through 2.4 and wpa_supplicant 0.7.0 through 2.4, when used for AP mode MLME/SME functionality, allows remote attackers to cause a denial of service (crash) via a crafted frame, which triggers an out-of-bounds read.

5) Buffer overflow (CVE-ID: CVE-2015-4143)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm message payload.

6) Buffer overflow (CVE-ID: CVE-2015-4144)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate that a message is long enough to contain the Total-Length field, which allows remote attackers to cause a denial of service (crash) via a crafted message.

7) Resource management error (CVE-ID: CVE-2015-4145)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of service (memory leak) via a crafted message.

8) Input validation error (CVE-ID: CVE-2015-4146)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not clear the L (Length) and M (More) flags before determining if a response should be fragmented, which allows remote attackers to cause a denial of service (crash) via a crafted message.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/
• https://security.gentoo.org/glsa/201606-17