Bug 1332422 (CVE-2016-4476) - CVE-2016-4476 wpa_supplicant, hostapd: denial of service via crafted WPA/WPA2 passphrase parameter
Summary: CVE-2016-4476 wpa_supplicant, hostapd: denial of service via crafted WPA/WPA2...
Alias: CVE-2016-4476
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1332425 1332426 1332427
Blocks: 1332428
TreeView+ depends on / blocked
Reported: 2016-05-03 07:34 UTC by Andrej Nemec
Modified: 2019-09-29 13:48 UTC (History)
8 users (show)

Fixed In Version: wpa_supplicant 2.6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-07-19 02:30:14 UTC

Attachments (Terms of Use)

Description Andrej Nemec 2016-05-03 07:34:08 UTC
A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If this
parameter has been updated to include control characters either through
a WPS operation or through local configuration change over the
wpa_supplicant control interface, the resulting configuration file may
prevent the hostapd and wpa_supplicant from starting when the updated
file is used.



Comment 1 Andrej Nemec 2016-05-03 07:40:30 UTC
Created hostapd tracking bugs for this issue:

Affects: fedora-all [bug 1332425]
Affects: epel-all [bug 1332427]

Comment 2 Andrej Nemec 2016-05-03 07:40:38 UTC
Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1332426]

Comment 3 Doran Moppert 2016-07-18 07:38:16 UTC
Prerequisites for the flaw to be exploitable are described upstream at 

> WPS needs to be enabled in the runtime operation and the WPS operation
> needs to have been authorized by the local user over the control
> interface. For wpa_supplicant, update_config=1 must have been enabled in
> the configuration file.

RHEL-6 and -7 versions have CONFIG_WPS enabled, however default configuration 
does not include the `update_config=1` flag.

Normally, network connections are managed by NetworkManager which gives 
credentials to wpa_supplicant over DBus.  It is possible to send invalid byte 
sequences as part of the key, but this flaw only comes into effect if 
wpa_supplicant itself writes these sequences into its config file and then 
attempts to re-read the file.

Turning `update_config=1` on is not recommended since it allows users who can 
use the control interface to overwrite the entire wpa_supplicant 

Note You need to log in before you can comment on or make changes to this bug.