The vulnerability uses Service Set Identifier's information to create or update P2P peer entries. The valid length range of SSID is 0-32 octets, but on one of the code paths wpa_supplicant was not sufficiently verifying the payload length. This resulted in copying of arbitrary data from an attacker to a fixed length buffer of 32 bytes.
The device results in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to wpa_supplicant process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution.
According to Jouni Malinen, maintainer of wpa_supplicant, `The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress.`
This issue was reported by the Google security team and hardware research group of Alibaba security team.
The users could merge the following commits to wpa_supplicant and rebuild it, validate SSID element length before copying it (CVE-2015-1863) from http://w1.fi/security/2015-1/. Update to wpa_supplicant v2.5 or newer versions, once they are available.
Read original article
No comments:
Post a Comment