ArchLinux: 201610-7: wpa_supplicant: multiple issues
Summary
- CVE-2016-4476 (denial of service)
A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If
this parameter has been updated to include control characters either
through a WPS operation or through local configuration change over the
wpa_supplicant control interface, the resulting configuration file may
prevent the hostapd and wpa_supplicant from starting when the updated
file is used.
- CVE-2016-4477 (privilege escalation)
The local configuration update through the control interface
SET_NETWORK command could allow privilege escalation for the local user
to run code from a locally stored library file under the same
privileges as the wpa_supplicant process has. The assumption here is
that a not fully trusted user/application might have access through a
connection manager to set network profile parameters like psk, but
would not have access to set other configuration file parameters. If
the connection manager in such a case does not filter out control
characters from the psk value, it could have been possible to
practically update the global parameters by embedding a newline
character within the psk value. In addition, the untrusted
user/application would need to be able to install a library file
somewhere on the device from where the wpa_supplicant process has
privileges to load the library.
Resolution
Upgrade to 1:2.6-1.
# pacman -Syu "wpa_supplicant>=1:2.6-1"
The problems have been fixed upstream in version 2.6.
References
https://www.openwall.com/lists/oss-security/2016/05/03/2 https://access.redhat.com/security/cve/CVE-2016-4476 https://access.redhat.com/security/cve/CVE-2016-4477
Workaround
None.