Red Hat Bugzilla – Bug 1332422
CVE-2016-4476 wpa_supplicant, hostapd: denial of service via crafted WPA/WPA2 passphrase parameter
Last modified: 2016-07-18 22:30:14 EDT
A vulnerability was found in how hostapd and wpa_supplicant writes the configuration file update for the WPA/WPA2 passphrase parameter. If this parameter has been updated to include control characters either through a WPS operation or through local configuration change over the wpa_supplicant control interface, the resulting configuration file may prevent the hostapd and wpa_supplicant from starting when the updated file is used. References: http://seclists.org/oss-sec/2016/q2/187
Created hostapd tracking bugs for this issue: Affects: fedora-all [bug 1332425] Affects: epel-all [bug 1332427]
Created wpa_supplicant tracking bugs for this issue: Affects: fedora-all [bug 1332426]
Prerequisites for the flaw to be exploitable are described upstream at http://w1.fi/security/2016-1/psk-parameter-config-update.txt > WPS needs to be enabled in the runtime operation and the WPS operation > needs to have been authorized by the local user over the control > interface. For wpa_supplicant, update_config=1 must have been enabled in > the configuration file. RHEL-6 and -7 versions have CONFIG_WPS enabled, however default configuration does not include the `update_config=1` flag. Normally, network connections are managed by NetworkManager which gives credentials to wpa_supplicant over DBus. It is possible to send invalid byte sequences as part of the key, but this flaw only comes into effect if wpa_supplicant itself writes these sequences into its config file and then attempts to re-read the file. Turning `update_config=1` on is not recommended since it allows users who can use the control interface to overwrite the entire wpa_supplicant configuration.