Vulnerabilities > CVE-2019-11555 - NULL Pointer Dereference vulnerability in W1.Fi Hostapd and WPA Supplicant
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2019-FF1B728D09.NASL description upgrade to latest 2.8 version, that includes fix for CVE-2019-11555. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124876 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124876 title Fedora 30 : 1:wpa_supplicant (2019-ff1b728d09) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1867.NASL description Several vulnerabilities were discovered in WPA supplicant / hostapd. Some of them could only partially be mitigated, please read below for details. CVE-2019-9495 Cache-based side-channel attack against the EAP-pwd implementation: an attacker able to run unprivileged code on the target machine (including for example JavaScript code in a browser on a smartphone) during the handshake could deduce enough information to discover the password in a dictionary attack. This issue has only very partially been mitigated against by reducing measurable timing differences during private key operations. More work is required to fully mitigate this vulnerability. CVE-2019-9497 Reflection attack against EAP-pwd server implementation: a lack of validation of received scalar and elements value in the EAP-pwd-Commit messages could have resulted in attacks that would have been able to complete EAP-pwd authentication exchange without the attacker having to know the password. This did not result in the attacker being able to derive the session key, complete the following key exchange and access the network. CVE-2019-9498 EAP-pwd server missing commit validation for scalar/element: hostapd didn last seen 2020-06-01 modified 2020-06-02 plugin id 127476 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127476 title Debian DLA-1867-1 : wpa security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1036.NASL description According to the versions of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. This vulnerability may allow an attacker to complete EAP-PWD authentication without knowing the password. However, unless the crypto library does not implement additional checks for the EC point, the attacker will not be able to derive the session key or complete the key exchange. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.(CVE-2019-9497) - The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.(CVE-2019-9498) - The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.(CVE-2019-9499) - The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.(CVE-2019-11555) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-03 modified 2020-01-02 plugin id 132629 published 2020-01-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132629 title EulerOS 2.0 SP8 : wpa_supplicant (EulerOS-SA-2020-1036) NASL family Fedora Local Security Checks NASL id FEDORA_2019-D6BC3771A4.NASL description Security fix for CVE-2019-11555 Update to version 2.8 from upstream Drop obsoleted patches Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 127531 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127531 title Fedora 29 : hostapd (2019-d6bc3771a4) NASL family Fedora Local Security Checks NASL id FEDORA_2019-28D3CA93D2.NASL description Update to version 2.8 from upstream, Security fix for [CVE-2019-11555] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 125743 published 2019-06-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125743 title Fedora 30 : hostapd (2019-28d3ca93d2) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201908-25.NASL description The remote host is affected by the vulnerability described in GLSA-201908-25 (hostapd and wpa_supplicant: Denial of Service) A vulnerability was discovered in hostapd’s and wpa_supplicant’s eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c files. Impact : An attacker could cause a possible Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 127974 published 2019-08-20 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127974 title GLSA-201908-25 : hostapd and wpa_supplicant: Denial of Service NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1073.NASL description According to the versions of the wpa_supplicant package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should have been prevented by PMF (aka management frame protection). The attacker must send a crafted 802.11 frame from a location that is within the 802.11 communications range.(CVE-2019-16275) - The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.(CVE-2019-11555) - The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.(CVE-2019-9499) - The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.(CVE-2019-9498) - The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. This vulnerability may allow an attacker to complete EAP-PWD authentication without knowing the password. However, unless the crypto library does not implement additional checks for the EC point, the attacker will not be able to derive the session key or complete the key exchange. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.(CVE-2019-9497) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 132827 published 2020-01-13 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132827 title EulerOS Virtualization for ARM 64 3.0.5.0 : wpa_supplicant (EulerOS-SA-2020-1073) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3969-2.NASL description USN-3969-1 fixed a vulnerability in wpa_supplicant and hostapd. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details : It was discovered that wpa_supplicant and hostapd incorrectly handled unexpected fragments when using EAP-pwd. A remote attacker could possibly use this issue to cause a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124759 published 2019-05-10 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124759 title Ubuntu 14.04 LTS : wpa vulnerability (USN-3969-2) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3969-1.NASL description It was discovered that wpa_supplicant and hostapd incorrectly handled unexpected fragments when using EAP-pwd. A remote attacker could possibly use this issue to cause a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124696 published 2019-05-08 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124696 title Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : wpa vulnerability (USN-3969-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4450.NASL description A vulnerability was found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). The EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) doesn last seen 2020-06-01 modified 2020-06-02 plugin id 125414 published 2019-05-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125414 title Debian DSA-4450-1 : wpa - security update
References
- https://www.openwall.com/lists/oss-security/2019/04/18/6
- https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt
- https://w1.fi/security/2019-5/
- http://www.openwall.com/lists/oss-security/2019/04/26/1
- https://usn.ubuntu.com/3969-1/
- https://usn.ubuntu.com/3969-2/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc
- https://seclists.org/bugtraq/2019/May/40
- https://www.debian.org/security/2019/dsa-4450
- https://seclists.org/bugtraq/2019/May/64
- https://lists.debian.org/debian-lts-announce/2019/07/msg00030.html
- https://security.gentoo.org/glsa/201908-25
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5T7G763UECWR7FQXOJVL67PW7C5A3SA4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IQ6P2GI5GSXRNLNIUNPARFZQVDEIGVZD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DJKZHAT5KPUN26JL77EUH563GAH5XZ5C/