A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If this
parameter has been updated to include control characters either through
a WPS operation or through local configuration change over the
wpa_supplicant control interface, the resulting configuration file may
prevent the hostapd and wpa_supplicant from starting when the updated
file is used.
Created hostapd tracking bugs for this issue:
Affects: fedora-all [bug 1332425]
Affects: epel-all [bug 1332427]
Created wpa_supplicant tracking bugs for this issue:
Affects: fedora-all [bug 1332426]
Prerequisites for the flaw to be exploitable are described upstream at
> WPS needs to be enabled in the runtime operation and the WPS operation
> needs to have been authorized by the local user over the control
> interface. For wpa_supplicant, update_config=1 must have been enabled in
> the configuration file.
RHEL-6 and -7 versions have CONFIG_WPS enabled, however default configuration
does not include the `update_config=1` flag.
Normally, network connections are managed by NetworkManager which gives
credentials to wpa_supplicant over DBus. It is possible to send invalid byte
sequences as part of the key, but this flaw only comes into effect if
wpa_supplicant itself writes these sequences into its config file and then
attempts to re-read the file.
Turning `update_config=1` on is not recommended since it allows users who can
use the control interface to overwrite the entire wpa_supplicant