Vigil@nce - hostapd: denial of service via EAP-TLS
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An unauthenticated attacker can send a special EAP-TLS message, in
order to force hostapd to stop itself.
– Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, Unix
(platform)
– Severity: 2/4
– Creation date: 08/10/2012
DESCRIPTION OF THE VULNERABILITY
The hostapd daemon processes the authentication of access points.
The EAP-TLS authentication protocol uses a X.509 client
certificate, which is exchanged during a TLS session.
The eap_server_tls_process_fragment() function of the
src/eap_server/eap_server_tls_common.c file of hostapd reassembles
TLS fragments (messages larger than 16384 bytes are fragmented in
several TLS Records). However, if the "More Fragments" flag (cf.
RFC 2716 for example) is set, and if the announced size is shorter
than the real data size, then hostapd detects a buffer overflow
attempt, and stops.
An unauthenticated attacker can therefore send a special EAP-TLS
message, in order to force hostapd to stop itself.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/hostapd-denial-of-service-via-EAP-TLS-12036