CVE-2017-11668
Description
An out-of-bounds read in eapmd5pass 1.4's assess_packet function allows remote attackers to cause a denial of service via crafted network traffic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in eapmd5pass 1.4's assess_packet function allows remote attackers to cause a denial of service via crafted network traffic.
Vulnerability
An out-of-bounds read vulnerability exists in the assess_packet function in eapmd5pass.c:134 of eapmd5pass version 1.4. The flaw occurs when the software processes specially crafted network packets, leading to a read beyond the allocated memory buffer. This bug was discovered by Dhiru Kholia using libFuzzer and reported on the oss-security mailing list [1]. The affected version is eapmd5pass 1.4, as shipped with Kali Linux [1].
Exploitation
A remote attacker can exploit this vulnerability by sending a specially crafted network packet to the eapmd5pass process. The attacker does not require any authentication or prior access to the target system. The exploit triggers the out-of-bounds read in the assess_packet function when eapmd5pass handles the malicious traffic [1]. No user interaction is needed beyond the process receiving the packet.
Impact
Successful exploitation causes eapmd5pass to crash, resulting in a denial of service (DoS). The attacker can disrupt the intended functionality of the software, but the impact is limited to a remote crash; there is no evidence of code execution or information disclosure in the available references [1]. The crash is the direct consequence of the out-of-bounds read.
Mitigation
As of the publication date (2017-07-31), no official fix or patched version has been released by the maintainers. The upstream software appears to be unmaintained, and users are advised to avoid running eapmd5pass in production or untrusted environments until a patch is available. No workaround is documented in the references. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:eapmd5pass_project:eapmd5pass:1.4:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:eapmd5pass_project:eapmd5pass:1.4:*:*:*:*:*:*:*
- (no CPE)range: = 1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of the `offset` variable in `assess_packet` allows a negative offset, leading to an out-of-bounds read."
Attack vector
An attacker can trigger the out-of-bounds read remotely by sending specially crafted network traffic that causes the `offset` variable in `assess_packet` to become negative (e.g., -2) [ref_id=1]. When the code then evaluates `if (dot11->u1.fc.from_ds == 1 && dot11->u1.fc.to_ds == 1)`, it dereferences memory before the intended buffer [ref_id=1]. No authentication is required, and the attack can also be performed locally by supplying a crafted `.pcap` file [ref_id=1].
Affected code
The vulnerability resides in the `assess_packet` function in `eapmd5pass.c` at line 134 [ref_id=1]. The `offset` variable can become negative, and the code dereferences `dot11->u1.fc.from_ds` and `dot11->u1.fc.to_ds` without first checking whether `offset` is valid, causing an out-of-bounds read [ref_id=1].
What the fix does
The patch adds a guard at the beginning of `assess_packet` that returns early if `offset
Preconditions
- networkThe attacker must be able to deliver a crafted network packet (or a crafted .pcap file) to the eapmd5pass process.
- authNo authentication or special privileges are required.
Reproduction
Run `./eapmd5pass -r crash-4c384505c65c675a6a821f2a2f25ea967ec2a8c0 -w wordlist` against the provided crash file. AddressSanitizer will report a heap-buffer-overflow READ of size 1 at `assess_packet` line 134, with the `offset` variable equal to -2 [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- openwall.com/lists/oss-security/2017/07/31/3nvdExploitMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.