EAP-pwd message reassembly issue with unexpected fragment Published: April 18, 2019 Identifiers: - CVE-2019-11555 Latest version available from: https://w1.fi/security/2019-5/ Vulnerability EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) was discovered not to validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to NULL pointer dereference. An attacker in radio range of a station device with wpa_supplicant network profile enabling use of EAP-pwd could cause the wpa_supplicant process to terminate by constructing unexpected sequence of EAP messages. An attacker in radio range of an access point that points to hostapd as an authentication server with EAP-pwd user enabled in runtime configuration (or in non-WLAN uses of EAP authentication as long as the attacker can send EAP-pwd messages to the server) could cause the hostapd process to terminate by constructing unexpected sequence of EAP messages. Vulnerable versions/configurations All hostapd and wpa_supplicant versions with EAP-pwd support (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled in the runtime configuration) are vulnerable against the process termination (denial of service) attack. Possible mitigation steps - Merge the following commits to wpa_supplicant/hostapd and rebuild: EAP-pwd peer: Fix reassembly buffer handling EAP-pwd server: Fix reassembly buffer handling These patches are available from https://w1.fi/security/2019-5/ - Update to wpa_supplicant/hostapd v2.8 or newer, once available