hostapd is prone to an overflow condition. The eap_server_tls_process_fragment() function of eap_server/eap_server_tls_common.c fails to properly sanitize user-supplied input during the parsing of fragment data of a TLS message resulting in a buffer overflow. With a specially crafted EAP-TLS message, a remote attacker can potentially execute arbitrary code.

Currently, there are no known workarounds or upgrades to correct this issue. However, a patch has been committed to the CVS/GIT repository that addresses this vulnerability. Until it is incorporated into the next release of the software, manually patching an existing installation is the only known available solution. Check the vendor advisory or solution URL in the references section.

• Security Tracker: 1027808
• CVE ID: 2012-4445 (see also: NVD)
• Secunia Advisory ID: 50805 50888 51057 51674
• Bugtraq ID: 55826
• Vendor Specific News/Changelog Entry: http://blog.pfsense.org/?p=676
  http://lists.debian.org/debian-security-announce/2012/msg00201.html
  http://lists.opensuse.org/opensuse-updates/2012-10/msg00062.html
• Mail List Post: http://seclists.org/bugtraq/2012/Nov/87
• Vendor Specific Solution URL: http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=586c446e0ff42ae00315b014924ec669023bd8de
• Other Advisory URL: http://www.pre-cert.de/advisories/PRE-SA-2012-07.txt

• Timo Warns - PRESENSE Technologies GmbH