Red Hat Bugzilla – Bug 1151259
CVE-2014-3686 wpa_supplicant and hostapd: wpa_cli and hostapd_cli remote command execution issue
Last modified: 2015-01-04 17:42:11 EST
Jouni Malinen discovered that a string supplied from a remote device could be supplied to a system() call in wpa_cli or hostapd_cli when running an action script (with the "-a" option), resulting in arbitrary command execution. This issue could also be triggered by an attacker within radio range. Patches are available from the following: http://w1.fi/security/2014-1/ Based on the information about affected configurations in the upstream advisory, Red Hat Enterprise Linux 5 is likely to be not vulnerable, but Red Hat Enterprise Linux 6 and 7 are likely to be vulnerable. Acknowledgements: Red Hat would like to thank Jouni Malinen for reporting this issue. References: http://w1.fi/security/2014-1/ http://www.openwall.com/lists/oss-security/2014/10/09/28
Created hostapd tracking bugs for this issue: Affects: fedora-all [bug 1151260] Affects: epel-6 [bug 1151261] Affects: epel-7 [bug 1151262]
Created wpa_supplicant tracking bugs for this issue: Affects: fedora-all [bug 1151263]
*** Bug 1155828 has been marked as a duplicate of this bug. ***
Is this not a problem in RHEL7 as well? wpa_cli is shipped there too.
Murray, was this determined to not be a problem for EL7? There's a bug open for epel7 already, but that's for the 'hostapd' side of things which we dont' ship in RHEL7. We *do* ship wpa_supplicant in RHEL7 and I believe that it also requires a patch. If it is a problem for RHEL7's wpa_supplicant, could you create a security bug for EL7 so I can update the package there too?
RHEL 6 and 7 are affected. I will get things moving.
Fixed upstream in wpa_supplicant 2.3 and hostapd 2.3: http://lists.shmoo.com/pipermail/hostap/2014-October/031019.html http://lists.shmoo.com/pipermail/hostap/2014-October/031018.html
Upstream git commits: http://w1.fi/cgit/hostap/commit/?id=89de07a9442072f88d49869d8ecd8d42bae050a0 http://w1.fi/cgit/hostap/commit/?id=c5f258de76dbb67fb64beab39a99e5c5711f41fe http://w1.fi/cgit/hostap/commit/?id=5d4fa2a29bef013e61185beb21a3ec110885eb9a
Upstream announcement lists the following configurations as affected. Quoting from: http://lists.shmoo.com/pipermail/hostap/2014-October/031019.html wpa_supplicant v1.0-v2.2 with CONFIG_P2P build option enabled and connecting to a P2P group wpa_supplicant v2.1-v2.2 with CONFIG_WNM build option enabled wpa_supplicant v2.2 with CONFIG_HS20 build option enabled wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option enabled and operating as WPS Registrar The versions of wpa_supplicant in Red Hat Enterprise Linux 5 and previous are older than 0.7.2. The version of wpa_supplicant in Red Hat Enterprise Linux 6 is 0.7.3 and is built with CONFIG_WPS. The version of wpa_supplicant in Red Hat Enterprise Linux 7 is 2.0 and is built with both CONFIG_WPS and CONFIG_P2P. There is no application in Red Hat Enterprise Linux that executes wpa_cli in a vulnerable way.
After the further look at the 0.7.3 in Red Hat Enterprise Linux 6, I do not believe that version is affected. It only executes action script with two possible values for the second argument - "CONNECTED" or "DISCONNECTED". A possibility to execute action script with different second argument seems to be first introduced in the following commit: http://w1.fi/cgit/hostap/commit/?id=42f0101b This was first included in wpa_supplicant version 1.0.
Upstream confirmed wpa_supplicant versions prior to 1.0 are not affected. Upstream advisory now includes the following update: http://w1.fi/security/2014-1/wpacli-action-scripts.txt October 28, 2014 - Removed "wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option enabled and operating as WPS Registrar" as a vulnerable combination since wpa_cli actually filters out the potentially problematic event string from wpa_supplicant while hostapd_cli does not.
wpa_supplicant-2.0-12.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
hostapd-2.3-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: A command injection flaw was found in the way the wpa_cli utility executed action scripts. If wpa_cli was run in daemon mode to execute an action script (specified using the -a command line option), and wpa_supplicant was configured to connect to a P2P group, malicious P2P group parameters could cause wpa_cli to execute arbitrary code.
hostapd-2.0-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
hostapd-2.3-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
wpa_supplicant-2.0-12.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
hostapd-2.0-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
hostapd-2.3-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5 and 6.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1956 https://rhn.redhat.com/errata/RHSA-2014-1956.html