CVE-2015-5314 - OpenCVE

The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
W1.fi	Wpa Supplicant

Configuration 1 [-]

cpe:2.3:a:w1.fi:wpa_supplicant:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt
http://www.openwall.com/lists/oss-security/2015/11/10/10
http://www.ubuntu.com/usn/USN-2808-1
https://www.debian.org/security/2015/dsa-3397

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2018-02-21T16:00:00

Updated: 2024-08-06T06:41:09.301Z

Reserved: 2015-07-01T00:00:00

Link: CVE-2015-5314

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-02-21T16:29:00.287

Modified: 2018-03-21T13:07:25.667

Link: CVE-2015-5314

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-11-10T00:00:00", "descriptions": [{"lang": "en", "value": "The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-22T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "USN-2808-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2808-1"}, {"name": "DSA-3397", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2015/dsa-3397"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt"}, {"name": "[oss-security] 20151110 hostapd/wpa_supplicant: EAP-pwd missing last fragment length validation", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/11/10/10"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-5314", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "USN-2808-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2808-1"}, {"name": "DSA-3397", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2015/dsa-3397"}, {"name": "http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt", "refsource": "CONFIRM", "url": "http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt"}, {"name": "[oss-security] 20151110 hostapd/wpa_supplicant: EAP-pwd missing last fragment length validation", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/11/10/10"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:41:09.301Z"}, "title": "CVE Program Container", "references": [{"name": "USN-2808-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2808-1"}, {"name": "DSA-3397", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2015/dsa-3397"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt"}, {"name": "[oss-security] 20151110 hostapd/wpa_supplicant: EAP-pwd missing last fragment length validation", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/11/10/10"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-5314", "datePublished": "2018-02-21T16:00:00", "dateReserved": "2015-07-01T00:00:00", "dateUpdated": "2024-08-06T06:41:09.301Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:w1.fi:wpa_supplicant:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0920644-8B05-465C-A1BE-BAC6344D990E", "versionEndExcluding": "2.6", "versionStartIncluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message."}, {"lang": "es", "value": "La funci\u00f3n eap_pwd_process en eap_server/eap_server_pwd.c en hostapd, en versiones 2.x anteriores a la 2.6 no valida que el b\u00fafer de reensamblaje sea lo bastante grande para el fragmento final al emplearse con (1) un servidor EAP interno o (2) un servidor RADIUS y EAP-pwd habilitado en una configuraci\u00f3n runtime. Esto permite que atacantes remotos provoquen una denegaci\u00f3n de servicio (finalizaci\u00f3n del proceso) mediante un fragmento final grande en un mensaje EAP-pwd."}], "id": "CVE-2015-5314", "lastModified": "2018-03-21T13:07:25.667", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-21T16:29:00.287", "references": [{"source": "secalert@redhat.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Mitigation", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/11/10/10"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://www.ubuntu.com/usn/USN-2808-1"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2015/dsa-3397"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}