Vulnerability in Wi-fi authentication component

A vulnerability in wpa_supplicant, used to authenticate clients on Wi-fi networks, could expose Android, BSD, Linux, and possibly Windows and Mac OS X system to attack.

The  vulnerability uses Service Set Identifier’s information to create or update P2P peer  entries. The valid length range of SSID is 0-32 octets, but on one of the code paths wpa_supplicant was not sufficiently verifying the payload length. This resulted in copying of  arbitrary data from an attacker to a fixed length buffer of 32 bytes.

The device  results in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to wpa_supplicant process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution.

According to Jouni Malinen, maintainer of wpa_supplicant, “The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress.”

This issue was reported by the Google security team and hardware research group of Alibaba security team.

The users could merge the following commits to wpa_supplicant and rebuild it,  validate SSID element length before copying it (CVE-2015-1863) from  Update to  wpa_supplicant v2.5 or newer versions, once  they are available.

Share this with Your friends: