Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20141009190907.GC29399@w1.fi>
Date: Thu, 9 Oct 2014 22:09:07 +0300
From: Jouni Malinen <j@...fi>
To: oss-security@...ts.openwall.com
Subject: wpa_cli and hostapd_cli action script execution vulnerability

Published: October 9, 2014
Identifier: CVE-2014-3686
Latest version available from: http://w1.fi/security/2014-1/


Vulnerability

A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
for executing action scripts. An unsanitized string received from a
remote device can be passed to a system() call resulting in arbitrary
command execution under the privileges of the wpa_cli/hostapd_cli
process (which may be root or at least network admin in common use
cases).


Vulnerable versions/configurations

wpa_cli is a component distributed with wpa_supplicant and hostapd_cli
is a component distributed with hostapd. The vulnerability affects only
cases where wpa_cli or hostapd_cli is used to run action scripts (-a
command line option) and one (or more) of the following build
combinations for wpa_supplicant/hostapd is used:

wpa_supplicant v1.0-v2.2 with CONFIG_P2P build option enabled and
connecting to a P2P group

wpa_supplicant v2.1-v2.2 with CONFIG_WNM build option enabled

wpa_supplicant v2.2 with CONFIG_HS20 build option enabled

wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option enabled and
operating as WPS Registrar

hostapd v0.7.2-v2.2 with CONFIG_WPS build option enabled and WPS enabled
in runtime configuration

wpa_supplicant and hostapd processes are not directly affected, i.e.,
the vulnerability occurs in the wpa_cli/hostapd process based on
information received from wpa_supplicant/hostapd.

Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a frame that triggers a
suitable formatted event message to allow full control on command
execution.


Possible mitigation steps

- Update to wpa_cli/hostapd_cli from wpa_supplicant/hostapd v2.3

- Merge the following commits to an older version of wpa_cli/hostapd_cli
  and rebuild it:

  Add os_exec() helper to run external programs
  wpa_cli: Use os_exec() for action script execution
  hostapd_cli: Use more robust mechanism for action script execution

  These patches are available from http://w1.fi/security/2014-1/

- Disable use of wpa_cli/hostapd_cli command to run action scripts
  (this may prevent functionality)

-- 
Jouni Malinen                                            PGP id EFC895FA

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.