Bug 1151259 (CVE-2014-3686)
Summary: | CVE-2014-3686 wpa_supplicant and hostapd: wpa_cli and hostapd_cli remote command execution issue | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | Ken Benoit <kbenoit> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | chazlett, dcbw, linville, mmcallis, negativo17, rkhan, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | wpa_supplicant 2.3, hostapd 2.3 | Doc Type: | Bug Fix |
Doc Text: |
A command injection flaw was found in the way the wpa_cli utility executed action scripts. If wpa_cli was run in daemon mode to execute an action script (specified using the -a command line option), and wpa_supplicant was configured to connect to a P2P group, malicious P2P group parameters could cause wpa_cli to execute arbitrary code.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-12-03 20:20:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1151260, 1151261, 1151262, 1151263, 1157911, 1157912, 1157913, 1157914 | ||
Bug Blocks: | 1151264 |
Description
Murray McAllister
2014-10-10 00:49:51 UTC
Created hostapd tracking bugs for this issue: Affects: fedora-all [bug 1151260] Affects: epel-6 [bug 1151261] Affects: epel-7 [bug 1151262] Created wpa_supplicant tracking bugs for this issue: Affects: fedora-all [bug 1151263] *** Bug 1155828 has been marked as a duplicate of this bug. *** Is this not a problem in RHEL7 as well? wpa_cli is shipped there too. Murray, was this determined to not be a problem for EL7? There's a bug open for epel7 already, but that's for the 'hostapd' side of things which we dont' ship in RHEL7. We *do* ship wpa_supplicant in RHEL7 and I believe that it also requires a patch. If it is a problem for RHEL7's wpa_supplicant, could you create a security bug for EL7 so I can update the package there too? RHEL 6 and 7 are affected. I will get things moving. Fixed upstream in wpa_supplicant 2.3 and hostapd 2.3: http://lists.shmoo.com/pipermail/hostap/2014-October/031019.html http://lists.shmoo.com/pipermail/hostap/2014-October/031018.html Upstream git commits: http://w1.fi/cgit/hostap/commit/?id=89de07a9442072f88d49869d8ecd8d42bae050a0 http://w1.fi/cgit/hostap/commit/?id=c5f258de76dbb67fb64beab39a99e5c5711f41fe http://w1.fi/cgit/hostap/commit/?id=5d4fa2a29bef013e61185beb21a3ec110885eb9a Upstream announcement lists the following configurations as affected. Quoting from: http://lists.shmoo.com/pipermail/hostap/2014-October/031019.html wpa_supplicant v1.0-v2.2 with CONFIG_P2P build option enabled and connecting to a P2P group wpa_supplicant v2.1-v2.2 with CONFIG_WNM build option enabled wpa_supplicant v2.2 with CONFIG_HS20 build option enabled wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option enabled and operating as WPS Registrar The versions of wpa_supplicant in Red Hat Enterprise Linux 5 and previous are older than 0.7.2. The version of wpa_supplicant in Red Hat Enterprise Linux 6 is 0.7.3 and is built with CONFIG_WPS. The version of wpa_supplicant in Red Hat Enterprise Linux 7 is 2.0 and is built with both CONFIG_WPS and CONFIG_P2P. There is no application in Red Hat Enterprise Linux that executes wpa_cli in a vulnerable way. After the further look at the 0.7.3 in Red Hat Enterprise Linux 6, I do not believe that version is affected. It only executes action script with two possible values for the second argument - "CONNECTED" or "DISCONNECTED". A possibility to execute action script with different second argument seems to be first introduced in the following commit: http://w1.fi/cgit/hostap/commit/?id=42f0101b This was first included in wpa_supplicant version 1.0. Upstream confirmed wpa_supplicant versions prior to 1.0 are not affected. Upstream advisory now includes the following update: http://w1.fi/security/2014-1/wpacli-action-scripts.txt October 28, 2014 - Removed "wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option enabled and operating as WPS Registrar" as a vulnerable combination since wpa_cli actually filters out the potentially problematic event string from wpa_supplicant while hostapd_cli does not. wpa_supplicant-2.0-12.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. hostapd-2.3-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. IssueDescription: A command injection flaw was found in the way the wpa_cli utility executed action scripts. If wpa_cli was run in daemon mode to execute an action script (specified using the -a command line option), and wpa_supplicant was configured to connect to a P2P group, malicious P2P group parameters could cause wpa_cli to execute arbitrary code. hostapd-2.0-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. hostapd-2.3-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. wpa_supplicant-2.0-12.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. hostapd-2.0-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. hostapd-2.3-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. Statement: This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5 and 6. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1956 https://rhn.redhat.com/errata/RHSA-2014-1956.html |