A vulnerability in wpa_supplicant, used to authenticate clients on Wi-fi networks, could expose Android, BSD, Linux, and possibly Windows and Mac OS X system to attack.
The vulnerability uses Service Set Identifier’s information to create or update P2P peer entries. The valid length range of SSID is 0-32 octets, but on one of the code paths wpa_supplicant was not sufficiently verifying the payload length. This resulted in copying of arbitrary data from an attacker to a fixed length buffer of 32 bytes.
The device results in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to wpa_supplicant process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution.
According to Jouni Malinen, maintainer of wpa_supplicant, “The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress.”
This issue was reported by the Google security team and hardware research group of Alibaba security team.
The users could merge the following commits to wpa_supplicant and rebuild it, validate SSID element length before copying it (CVE-2015-1863) from http://w1.fi/security/2015-1/. Update to wpa_supplicant v2.5 or newer versions, once they are available.
The vulnerability uses Service Set Identifier’s information to create or update P2P peer entries. The valid length range of SSID is 0-32 octets, but on one of the code paths wpa_supplicant was not sufficiently verifying the payload length. This resulted in copying of arbitrary data from an attacker to a fixed length buffer of 32 bytes.
The device results in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to wpa_supplicant process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution.
According to Jouni Malinen, maintainer of wpa_supplicant, “The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress.”
This issue was reported by the Google security team and hardware research group of Alibaba security team.
The users could merge the following commits to wpa_supplicant and rebuild it, validate SSID element length before copying it (CVE-2015-1863) from http://w1.fi/security/2015-1/. Update to wpa_supplicant v2.5 or newer versions, once they are available.