|
Lines 57-62
Link Here
|
| 57 |
|
57 |
|
| 58 |
--> |
58 |
--> |
| 59 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
59 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
|
|
60 |
<vuln vid="cb9d2fcd-eb47-11e4-b03e-002590263bf5"> |
| 61 |
<topic>wpa_supplicant -- P2P SSID processing vulnerability</topic> |
| 62 |
<affects> |
| 63 |
<package> |
| 64 |
<name>wpa_supplicant</name> |
| 65 |
<range><lt>2.4_1</lt></range> |
| 66 |
</package> |
| 67 |
</affects> |
| 68 |
<description> |
| 69 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 70 |
<p>Jouni Malinen reports:</p> |
| 71 |
<blockquote cite="http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt"> |
| 72 |
<p>A vulnerability was found in how wpa_supplicant uses SSID information |
| 73 |
parsed from management frames that create or update P2P peer entries |
| 74 |
(e.g., Probe Response frame or number of P2P Public Action frames). SSID |
| 75 |
field has valid length range of 0-32 octets. However, it is transmitted |
| 76 |
in an element that has a 8-bit length field and potential maximum |
| 77 |
payload length of 255 octets. wpa_supplicant was not sufficiently |
| 78 |
verifying the payload length on one of the code paths using the SSID |
| 79 |
received from a peer device.</p> |
| 80 |
<p>This can result in copying arbitrary data from an attacker to a fixed |
| 81 |
length buffer of 32 bytes (i.e., a possible overflow of up to 223 |
| 82 |
bytes). The SSID buffer is within struct p2p_device that is allocated |
| 83 |
from heap. The overflow can override couple of variables in the struct, |
| 84 |
including a pointer that gets freed. In addition about 150 bytes (the |
| 85 |
exact length depending on architecture) can be written beyond the end of |
| 86 |
the heap allocation.</p> |
| 87 |
<p>This could result in corrupted state in heap, unexpected program |
| 88 |
behavior due to corrupted P2P peer device information, denial of service |
| 89 |
due to wpa_supplicant process crash, exposure of memory contents during |
| 90 |
GO Negotiation, and potentially arbitrary code execution.</p> |
| 91 |
<p>Vulnerable versions/configurations</p> |
| 92 |
<p>wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled |
| 93 |
(which is not compiled by default).</p> |
| 94 |
<p>Attacker (or a system controlled by the attacker) needs to be within |
| 95 |
radio range of the vulnerable system to send a suitably constructed |
| 96 |
management frame that triggers a P2P peer device information to be |
| 97 |
created or updated.</p> |
| 98 |
<p>The vulnerability is easiest to exploit while the device has started an |
| 99 |
active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control |
| 100 |
interface command in progress). However, it may be possible, though |
| 101 |
significantly more difficult, to trigger this even without any active |
| 102 |
P2P operation in progress.</p> |
| 103 |
</blockquote> |
| 104 |
</body> |
| 105 |
</description> |
| 106 |
<references> |
| 107 |
<cvename>CVE-2015-1863</cvename> |
| 108 |
<url>http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt</url> |
| 109 |
</references> |
| 110 |
<dates> |
| 111 |
<discovery>2015-04-22</discovery> |
| 112 |
<entry>2015-04-25</entry> |
| 113 |
</dates> |
| 114 |
</vuln> |
| 115 |
|
| 60 |
<vuln vid="505904d3-ea95-11e4-beaf-bcaec565249c"> |
116 |
<vuln vid="505904d3-ea95-11e4-beaf-bcaec565249c"> |
| 61 |
<topic>wordpress -- multiple vulnabilities</topic> |
117 |
<topic>wordpress -- multiple vulnabilities</topic> |
| 62 |
<affects> |
118 |
<affects> |