Wi-fi authentication client bug opens multiple OS to attack

A recently-discovered vulnerability in the popular open source wpa_supplicant software for wi-fi could potentially put large numbers of client systems at risk.

Supplicants are typically software that passes user credentials for securely connecting computers to networks. 

The free and open software wi-fi protected access supplicant (wpa_supplicant) 802.11i implementation for Linux, *BSD, Apple OS X and Microsoft Windows is developed by Jouni Malinen, and is used in personal computers and embedded systems.

Malinen said the flaw - CVE-2015-1863 - could allow attackers to copy arbitrary data to system memory buffers, as the supplicant does not properly check the length of data packets for the service set identifier (SSID) used to differentiate wireless devices when creating or updating peer to peer (P2P) entries.

Corrupted P2P device information can lead to unexpected program behaviour and denial of service attacks if the wpa_supplicant crashes. Memory contents could also be exposed during the group owner negotiation stage when using the wi-fi direct P2P protocol to connect devices to each other, according to Malinen.

Attackers can read memory as well as write to it. This, Malinen said, could potentially enable remote code execution on victim's devices.

Systems controlled by attackers have to be within wi-fi radio range of vulnerable devices to send specially crafted management frames which trigger P2P device information to be created or updated, he said.

The flaw is easiest to exploit if there is an existing active P2P operation, but Malinen said it could be possible to trigger the vulnerability without such operations in progress.

Malinen has committed a patch for the wpa_supplicant that validates the length of the SSID element before copying it.

Chinese e-tailer giant Alibaba is credited with having discovered the flaw. Google reported it to Malinen.