CVE-2012-4445

Name of the Vulnerable Software and Affected Versions hostapd versions 0.6 through 1.0

Description The issue concerns multiple vulnerabilities in the hostapd package of the Debian GNU/Linux operating system, which can be exploited remotely to disrupt the availability of protected information. Specifically, a heap-based buffer overflow in the eap server tls process fragment function in eap server tls common.c can cause a denial of service (crash or abort) via a small "TLS Message Length" value in an EAP-TLS message with the "More Fragments" flag set.

Recommendations For hostapd versions 0.6 through 1.0, consider disabling the eap server tls process fragment function as a temporary workaround until a patch is available. Restrict access to the EAP authentication server to minimize the risk of exploitation. Avoid using the eap server tls process fragment function in the EAP-TLS message processing until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.