Wi-fi authentication client bug opens multiple OS to attack

By

Malicious P2P SSIDs could execute code on Linux, Windows, OS X.

A recently-discovered vulnerability in the popular open source wpa_supplicant software for wi-fi could potentially put large numbers of client systems at risk.

Wi-fi authentication client bug opens multiple OS to attack

Supplicants are typically software that passes user credentials for securely connecting computers to networks. 

The free and open software wi-fi protected access supplicant (wpa_supplicant) 802.11i implementation for Linux, *BSD, Apple OS X and Microsoft Windows is developed by Jouni Malinen, and is used in personal computers and embedded systems.

Malinen said the flaw - CVE-2015-1863 - could allow attackers to copy arbitrary data to system memory buffers, as the supplicant does not properly check the length of data packets for the service set identifier (SSID) used to differentiate wireless devices when creating or updating peer to peer (P2P) entries.

Corrupted P2P device information can lead to unexpected program behaviour and denial of service attacks if the wpa_supplicant crashes. Memory contents could also be exposed during the group owner negotiation stage when using the wi-fi direct P2P protocol to connect devices to each other, according to Malinen.

Attackers can read memory as well as write to it. This, Malinen said, could potentially enable remote code execution on victim's devices.

Systems controlled by attackers have to be within wi-fi radio range of vulnerable devices to send specially crafted management frames which trigger P2P device information to be created or updated, he said.

The flaw is easiest to exploit if there is an existing active P2P operation, but Malinen said it could be possible to trigger the vulnerability without such operations in progress.

Malinen has committed a patch for the wpa_supplicant that validates the length of the SSID element before copying it.

Chinese e-tailer giant Alibaba is credited with having discovered the flaw. Google reported it to Malinen.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift

Sportsbet recruits 'security champions' in shift-left strategy

Sportsbet recruits 'security champions' in shift-left strategy

Log In

  |  Forgot your password?