CVE-2017-11670
Description
A length validation flaw in eapmd5pass 1.4's extract_eapusername function allows remote attackers to cause a denial of service via crafted network traffic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A length validation flaw in eapmd5pass 1.4's extract_eapusername function allows remote attackers to cause a denial of service via crafted network traffic.
Vulnerability
A length validation flaw leading to an out-of-bounds read and write exists in the extract_eapusername function of eapmd5pass version 1.4. This function is used to process network traffic for extracting usernames from EAP-MD5 packets. An attacker can trigger the vulnerability by sending specially crafted network traffic to the target [1].
Exploitation
An unauthenticated remote attacker with network access to the eapmd5pass process can send a malformed EAP-MD5 packet. The extract_eapusername function fails to properly validate the length of the username field, causing out-of-bounds memory access. The attack does not require any prior authentication or user interaction [1].
Impact
Successful exploitation results in a crash of the eapmd5pass process, leading to a denial of service. The attacker cannot achieve code execution or information disclosure based on the information provided; the impact is limited to loss of intended functionality [1].
Mitigation
No official patch or fixed version has been released for this vulnerability as of the disclosure date. Users should monitor the eapmd5pass project for updates and consider restricting network access to the service as a workaround [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- cpe:2.3:a:eapmd5pass_project:eapmd5pass:1.4:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of `usernamelen` (computed as `eaplen - 5`) allows a negative value to be passed as the size argument to `memcpy`, causing out-of-bounds read and write."
Attack vector
A remote attacker sends a specially crafted network packet to the eapmd5pass process [ref_id=1]. The packet is processed by `extract_eapusername`, which computes `usernamelen = eaplen - 5` without checking whether the result is negative [ref_id=1]. When `eaplen` is less than 5, `usernamelen` becomes negative, which is passed as the size argument to `memcpy`, causing a negative-size-param error that leads to out-of-bounds read and write [CWE-125] [CWE-787] [ref_id=1]. No authentication or special privileges are required, and the attack can be performed over the network [ref_id=1].
Affected code
The vulnerable function is `extract_eapusername` in `eapmd5pass.c` [ref_id=1]. The crash occurs at line 459 at the `memcpy(em->username, (eap+5), usernamelen)` call, where `usernamelen` is computed as `eaplen - 5` and can become negative [ref_id=1].
What the fix does
The patch adds a bounds check before the `memcpy` call: `if (usernamelen
Preconditions
- networkThe attacker must be able to send network packets to the eapmd5pass process.
- configThe eapmd5pass process must be running and processing network traffic (e.g., reading from a pcap file or live capture).
Reproduction
The reference write-up [ref_id=1] includes a reproduction command: `$ ./eapmd5pass -r crash-1717d491a7b9beba422fe919d524ab973fbe7266 -w wordlist`. This triggers AddressSanitizer output showing a negative-size-param error at `extract_eapusername` in `eapmd5pass.c:459`. The crash file is a specially crafted pcap that causes `eaplen` to be less than 5, making `usernamelen` negative.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- openwall.com/lists/oss-security/2017/07/31/3nvdExploitMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.