CVE-2015-5315

Vulnerability

The vulnerability resides in the eap_pwd_process function in eap_peer/eap_pwd.c of wpa_supplicant versions 2.0 through 2.5 [3]. When an incoming EAP-pwd message is fragmented, the reassembly buffer length validation is not performed on the last fragment, unlike other fragments. This allows a crafted final fragment frame to attempt to add extra data beyond the buffer. The built-in length validation in wpabuf_put_data() prevents a buffer write overflow, but the failed assertion causes process termination, leading to denial of service [3]. The affected configuration requires that wpa_supplicant is built with CONFIG_EAP_PWD=y and that EAP-pwd is enabled in a network profile at runtime [3].

Exploitation

An attacker within radio range of a client device running wpa_supplicant with EAP-pwd enabled in a network profile can send a specially crafted large final fragment in an EAP-pwd message [3]. No authentication is required; the attacker simply needs to be in Wi-Fi range and initiate or interfere with an EAP-pwd exchange [2][3]. The attack does not require user interaction beyond the client having the affected network profile configured.

Impact

Successful exploitation causes the wpa_supplicant process to terminate (assertion failure), resulting in a denial of service for Wi-Fi connectivity on the affected client [3]. The attacker does not gain code execution, data access, or any other network-level privilege; only availability is compromised [2][3].

Mitigation

The vulnerability is fixed in wpa_supplicant version 2.6 and later [3]. Ubuntu published updated packages as USN-2808-1 on November 10, 2015 [1]. For systems that cannot immediately upgrade, the workaround is to remove CONFIG_EAP_PWD=y from the build configuration and/or disable EAP-pwd in network profiles [3]. The fix commits are available from the w1.fi security page [3].