CVE-2015-4143

Name of the Vulnerable Software and Affected Versions hostapd and wpa supplicant versions 1.0 through 2.4

Description The issue allows remote attackers to cause a denial of service, resulting in an out-of-bounds read and crash, via a crafted message payload. This can be achieved by sending a specially crafted (1) Commit or (2) Confirm message. The problem is caused by a buffer overflow in the EAP-pwd server and peer implementation.

Recommendations For hostapd and wpa supplicant versions 1.0 through 2.4, consider disabling the EAP-pwd functionality until a patch is available to prevent remote attackers from exploiting this issue. Restrict access to the EAP-pwd server and peer implementation to minimize the risk of exploitation. Avoid using crafted message payloads in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.