Bug 1332423 – CVE-2016-4477 wpa_supplicant: local configuration update allows privilege escalation

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1332423 - (CVE-2016-4477) CVE-2016-4477 wpa_supplicant: local configuration update allows privilege escalation

Summary:	CVE-2016-4477 wpa_supplicant: local configuration update allows privilege esc...

Status:	CLOSED WONTFIX

Aliases:	CVE-2016-4477

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160502,repor...
Keywords:	Security

Depends On:	1332426
Blocks:	1332428
	Show dependency tree / graph

Reported:	2016-05-03 03:38 EDT by Andrej Nemec
Modified:	2016-07-18 22:29 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	wpa_supplicant 2.6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-07-18 22:29:28 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2016-05-03 03:38:47 EDT

The local configuration update through the control interface SET_NETWORK
command could allow privilege escalation for the local user to run code
from a locally stored library file under the same privileges as the
wpa_supplicant process has. The assumption here is that a not fully
trusted user/application might have access through a connection manager
to set network profile parameters like psk, but would not have access to
set other configuration file parameters. If the connection manager in
such a case does not filter out control characters from the psk value,
it could have been possible to practically update the global parameters
by embedding a newline character within the psk value. In addition, the
untrusted user/application would need to be able to install a library
file somewhere on the device from where the wpa_supplicant process has
privileges to load the library.

References:

http://seclists.org/oss-sec/2016/q2/187

Comment 1 Andrej Nemec 2016-05-03 03:40:45 EDT

Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1332426]

Comment 2 Andrej Nemec 2016-05-04 03:08:15 EDT

External references:

http://w1.fi/security/2016-1/

Comment 3 Doran Moppert 2016-07-18 03:32:59 EDT

From the upstream report linked in comment 2:

> For the local control interface attack vector (CVE-2016-4477):
> 
> wpa_supplicant v0.4.0-v2.5 with control interface enabled
> 
> update_config=1 must have been enabled in the configuration file.

wpa_supplicant versions shipped in RHEL 5-7 are within the affected versions;  however, default configuration does not include the `update_config=1` flag.

Normally, network connections are managed by NetworkManager which gives credentials to wpa_supplicant over DBus.  It is possible to send invalid byte sequences as part of the key, but this flaw only comes into effect if wpa_supplicant itself writes these sequences into its config file and then attempts to re-read the file.

Turning `update_config=1` on is not recommended since it allows users who can use the control interface to overwrite the entire wpa_supplicant configuration.

Note You need to log in before you can comment on or make changes to this bug.