BSDSec

deadsimple BSD Security Advisories and Announcements

New erratas released today: 5.8 errata #8, 5.7 errata #20

9 November, 2015 by stsp@openbsd.org | openbsd 

There is a remotely triggerable panic in the wireless subsystem
involving WPA (a.k.a RSN).

RSN element parsing in the input path lacks validation of the group
cipher and group management cipher values. If a bad value is received
it is stored without validation, which will trigger a panic when the
value is used while sending a reply.

This can be used by malicious access points to crash OpenBSD clients,
or by malicious clients to crash OpenBSD access points.

Thanks to Franz Bettag for highlighting this problem.

Links to patches below. Please follow the instructions within.

5.8: http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/008_rsn.patch.sig
5.7: http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/020_rsn.patch.sig