CVE-2015-5316

Vulnerability

The vulnerability resides in the eap_pwd_perform_confirm_exchange function in eap_peer/eap_pwd.c of wpa_supplicant. When EAP-pwd is enabled in a network configuration profile, an unexpected EAP-pwd Confirm message received before the Identity exchange triggers a NULL pointer dereference, causing the daemon to crash. Affected versions are wpa_supplicant v2.3 through v2.5 with CONFIG_EAP_PWD=y in the build configuration [2][3].

Exploitation

An attacker within radio range can send a crafted EAP-pwd Confirm message to a vulnerable wpa_supplicant peer that has EAP-pwd enabled in its network profile. No authentication is required; the attacker simply needs to be able to inject an EAP-pwd message before the Identity exchange occurs. The error path in the peer implementation dereferences a NULL pointer, leading to immediate termination of the wpa_supplicant process [2][3].

Impact

Successful exploitation results in a denial of service (DoS) via daemon crash. The attacker causes the wpa_supplicant process to terminate, disrupting network connectivity for the affected system. No code execution or data compromise is achieved; the impact is limited to availability [1][2][3].

Mitigation

The fix was included in wpa_supplicant v2.6, released after November 2015. Users should update to v2.6 or later. Alternatively, apply the patch from the w1.fi security advisory [3] or remove CONFIG_EAP_PWD=y from the build configuration, or disable EAP-pwd in runtime configuration. Ubuntu released USN-2808-1 on 10 November 2015 to address this issue [1]. No workaround is available if EAP-pwd must be used and patching is not possible.