WiFi Woes from SSID Vulnerability

Friday, April 24, 2015 @ 02:04 PM gHale


It is possible for an attacker to leverage a series of attacks against a vulnerability in cross platform WiFi software “wpa_supplicant” from a denial-of-service (DoS) up to reading memory contents.

The package is a free implementation of the IEEE 802.1X/WPA component in clients that sees use for controlling wireless connections (secure key negotiation, scanning, authentication, transmission of normal data packets).

RELATED STORIES
‘Spell Check for Cybersecurity’
Attacks like Dragonfly Show New Security Model Needed
Learning to Navigate OT Security Risks
Finding a Balance: Managing OT Cyber Risk

It is present in operating systems for mobile devices (Android), desktop computers (Windows, Linux, BSD, OS X), as well as in embedded systems.

The glitch (CVE-2015-1863) affects wpa_supplicant versions 1.0 through 2.4 that have the Config_P2P option turned on. The vulnerability ended up discovered by the security team at Alibaba (smart hardware research group) and reported by Google’s security team.

Successful exploitation is possible when the client is working in a peer-to-peer (P2P) operation, and it could crash the wpa_supplicant process, expose sensitive information available in the memory of the client device, and cause potential arbitrary code execution.

The details of the flaw, published on the Open Source Software Security mailing list, explain the trouble stems from insufficient verification of the payload length when receiving the SSID (Service Set Identifier) information.

The SSID field has a maximum length of 32 octets but it ends up delivered via an element that supports a payload length of 255 octets, thus allowing additional arbitrary data to end up appended, when connecting to a malicious wireless network.

“This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The SSID buffer is within struct p2p_device that is allocated from heap. The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation,” Jouni Malinen, who maintains the package, wrote in the advisory.

Patch code is now available from Malinen, who advises rebuilding the affected wpa_supplicant variants with it. Click here for the latest version.

Alternatively, developers integrating the wpa_supplicant code into their products can wait for version 2.5 to become available.



Leave a Reply

You must be logged in to post a comment.