Bug 1332422 (CVE-2016-4476)

Summary: CVE-2016-4476 wpa_supplicant, hostapd: denial of service via crafted WPA/WPA2 passphrase parameter
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: blueowl, carnil, dcbw, linville, lkundrak, negativo17, rkhan, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: wpa_supplicant 2.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 02:30:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1332425, 1332426, 1332427    
Bug Blocks: 1332428    

Description Andrej Nemec 2016-05-03 07:34:08 UTC
A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If this
parameter has been updated to include control characters either through
a WPS operation or through local configuration change over the
wpa_supplicant control interface, the resulting configuration file may
prevent the hostapd and wpa_supplicant from starting when the updated
file is used.



Comment 1 Andrej Nemec 2016-05-03 07:40:30 UTC
Created hostapd tracking bugs for this issue:

Affects: fedora-all [bug 1332425]
Affects: epel-all [bug 1332427]

Comment 2 Andrej Nemec 2016-05-03 07:40:38 UTC
Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1332426]

Comment 3 Doran Moppert 2016-07-18 07:38:16 UTC
Prerequisites for the flaw to be exploitable are described upstream at 

> WPS needs to be enabled in the runtime operation and the WPS operation
> needs to have been authorized by the local user over the control
> interface. For wpa_supplicant, update_config=1 must have been enabled in
> the configuration file.

RHEL-6 and -7 versions have CONFIG_WPS enabled, however default configuration 
does not include the `update_config=1` flag.

Normally, network connections are managed by NetworkManager which gives 
credentials to wpa_supplicant over DBus.  It is possible to send invalid byte 
sequences as part of the key, but this flaw only comes into effect if 
wpa_supplicant itself writes these sequences into its config file and then 
attempts to re-read the file.

Turning `update_config=1` on is not recommended since it allows users who can 
use the control interface to overwrite the entire wpa_supplicant