Bug 1151259 (CVE-2014-3686)

Summary: CVE-2014-3686 wpa_supplicant and hostapd: wpa_cli and hostapd_cli remote command execution issue
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Ken Benoit <kbenoit>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chazlett, dcbw, linville, mmcallis, negativo17, rkhan, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wpa_supplicant 2.3, hostapd 2.3 Doc Type: Bug Fix
Doc Text:
A command injection flaw was found in the way the wpa_cli utility executed action scripts. If wpa_cli was run in daemon mode to execute an action script (specified using the -a command line option), and wpa_supplicant was configured to connect to a P2P group, malicious P2P group parameters could cause wpa_cli to execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-03 20:20:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1151260, 1151261, 1151262, 1151263, 1157911, 1157912, 1157913, 1157914    
Bug Blocks: 1151264    

Description Murray McAllister 2014-10-10 00:49:51 UTC 
Jouni Malinen discovered that a string supplied from a remote device could be supplied to a system() call in wpa_cli or hostapd_cli when running an action script (with the "-a" option), resulting in arbitrary command execution. This issue could also be triggered by an attacker within radio range.

Patches are available from the following:

http://w1.fi/security/2014-1/

Based on the information about affected configurations in the upstream advisory, Red Hat Enterprise Linux 5 is likely to be not vulnerable, but Red Hat Enterprise Linux 6 and 7 are likely to be vulnerable.

Acknowledgements:

Red Hat would like to thank Jouni Malinen for reporting this issue.

References:

http://w1.fi/security/2014-1/
http://www.openwall.com/lists/oss-security/2014/10/09/28
Comment 1 Murray McAllister 2014-10-10 00:51:41 UTC 
Created hostapd tracking bugs for this issue:

Affects: fedora-all [bug 1151260]
Affects: epel-6 [bug 1151261]
Affects: epel-7 [bug 1151262]
Comment 2 Murray McAllister 2014-10-10 00:51:44 UTC 
Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1151263]
Comment 3 Dan Williams 2014-10-22 23:53:15 UTC 
*** Bug 1155828 has been marked as a duplicate of this bug. ***
Comment 4 Dan Williams 2014-10-23 00:01:32 UTC 
Is this not a problem in RHEL7 as well?  wpa_cli is shipped there too.
Comment 5 Dan Williams 2014-10-27 14:26:16 UTC 
Murray, was this determined to not be a problem for EL7?  There's a bug open for epel7 already, but that's for the 'hostapd' side of things which we dont' ship in RHEL7.  We *do* ship wpa_supplicant in RHEL7 and I believe that it also requires a patch.

If it is a problem for RHEL7's wpa_supplicant, could you create a security bug for EL7 so I can update the package there too?
Comment 6 Murray McAllister 2014-10-28 02:52:09 UTC 
RHEL 6 and 7 are affected. I will get things moving.
Comment 8 Tomas Hoger 2014-10-28 09:07:23 UTC 
Fixed upstream in wpa_supplicant 2.3 and hostapd 2.3:

http://lists.shmoo.com/pipermail/hostap/2014-October/031019.html
http://lists.shmoo.com/pipermail/hostap/2014-October/031018.html
Comment 9 Tomas Hoger 2014-10-28 10:11:17 UTC 
Upstream git commits:

http://w1.fi/cgit/hostap/commit/?id=89de07a9442072f88d49869d8ecd8d42bae050a0
http://w1.fi/cgit/hostap/commit/?id=c5f258de76dbb67fb64beab39a99e5c5711f41fe
http://w1.fi/cgit/hostap/commit/?id=5d4fa2a29bef013e61185beb21a3ec110885eb9a
Comment 10 Tomas Hoger 2014-10-28 10:16:14 UTC 
Upstream announcement lists the following configurations as affected.  Quoting from:

  http://lists.shmoo.com/pipermail/hostap/2014-October/031019.html

  wpa_supplicant v1.0-v2.2 with CONFIG_P2P build option enabled and
  connecting to a P2P group

  wpa_supplicant v2.1-v2.2 with CONFIG_WNM build option enabled

  wpa_supplicant v2.2 with CONFIG_HS20 build option enabled

  wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option enabled and
  operating as WPS Registrar

The versions of wpa_supplicant in Red Hat Enterprise Linux 5 and previous are older than 0.7.2.  The version of wpa_supplicant in Red Hat Enterprise Linux 6 is 0.7.3 and is built with CONFIG_WPS.  The version of wpa_supplicant in Red Hat Enterprise Linux 7 is 2.0 and is built with both CONFIG_WPS and CONFIG_P2P.

There is no application in Red Hat Enterprise Linux that executes wpa_cli in a vulnerable way.
Comment 11 Tomas Hoger 2014-10-28 10:23:04 UTC 
After the further look at the 0.7.3 in Red Hat Enterprise Linux 6, I do not believe that version is affected.  It only executes action script with two possible values for the second argument - "CONNECTED" or "DISCONNECTED".

A possibility to execute action script with different second argument seems to be first introduced in the following commit:

http://w1.fi/cgit/hostap/commit/?id=42f0101b

This was first included in wpa_supplicant version 1.0.
Comment 12 Tomas Hoger 2014-10-28 12:06:11 UTC 
Upstream confirmed wpa_supplicant versions prior to 1.0 are not affected.  Upstream advisory now includes the following update:

  http://w1.fi/security/2014-1/wpacli-action-scripts.txt

  October 28, 2014
  - Removed "wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option
    enabled and operating as WPS Registrar" as a vulnerable combination
    since wpa_cli actually filters out the potentially problematic event
    string from wpa_supplicant while hostapd_cli does not.
Comment 14 Fedora Update System 2014-10-29 11:05:31 UTC 
wpa_supplicant-2.0-12.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2014-11-01 16:25:38 UTC 
hostapd-2.3-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Martin Prpič 2014-11-05 10:02:04 UTC 
IssueDescription:

A command injection flaw was found in the way the wpa_cli utility executed action scripts. If wpa_cli was run in daemon mode to execute an action script (specified using the -a command line option), and wpa_supplicant was configured to connect to a P2P group, malicious P2P group parameters could cause wpa_cli to execute arbitrary code.
Comment 17 Fedora Update System 2014-11-07 02:35:42 UTC 
hostapd-2.0-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2014-11-07 02:40:26 UTC 
hostapd-2.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2014-11-10 06:21:14 UTC 
wpa_supplicant-2.0-12.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2014-11-12 23:16:59 UTC 
hostapd-2.0-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2014-11-12 23:18:37 UTC 
hostapd-2.3-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Tomas Hoger 2014-12-03 15:50:20 UTC 
Statement:

This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 25 errata-xmlrpc 2014-12-03 19:15:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1956 https://rhn.redhat.com/errata/RHSA-2014-1956.html