Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 524928 (CVE-2014-3686) - <net-wireless/wpa_supplicant-2.4: action script execution vulnerability (CVE-2014-3686)
Summary: <net-wireless/wpa_supplicant-2.4: action script execution vulnerability (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2014-3686
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
: 547162 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-10-10 08:49 UTC by Agostino Sarubbo
Modified: 2016-06-27 10:35 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-10-10 08:49:42 UTC
From ${URL} :

Published: October 9, 2014
Identifier: CVE-2014-3686
Latest version available from: http://w1.fi/security/2014-1/


Vulnerability

A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
for executing action scripts. An unsanitized string received from a
remote device can be passed to a system() call resulting in arbitrary
command execution under the privileges of the wpa_cli/hostapd_cli
process (which may be root or at least network admin in common use
cases).


Vulnerable versions/configurations

wpa_cli is a component distributed with wpa_supplicant and hostapd_cli
is a component distributed with hostapd. The vulnerability affects only
cases where wpa_cli or hostapd_cli is used to run action scripts (-a
command line option) and one (or more) of the following build
combinations for wpa_supplicant/hostapd is used:

wpa_supplicant v1.0-v2.2 with CONFIG_P2P build option enabled and
connecting to a P2P group

wpa_supplicant v2.1-v2.2 with CONFIG_WNM build option enabled

wpa_supplicant v2.2 with CONFIG_HS20 build option enabled

wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option enabled and
operating as WPS Registrar

hostapd v0.7.2-v2.2 with CONFIG_WPS build option enabled and WPS enabled
in runtime configuration

wpa_supplicant and hostapd processes are not directly affected, i.e.,
the vulnerability occurs in the wpa_cli/hostapd process based on
information received from wpa_supplicant/hostapd.

Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a frame that triggers a
suitable formatted event message to allow full control on command
execution.


Possible mitigation steps

- Update to wpa_cli/hostapd_cli from wpa_supplicant/hostapd v2.3

- Merge the following commits to an older version of wpa_cli/hostapd_cli
  and rebuild it:

  Add os_exec() helper to run external programs
  wpa_cli: Use os_exec() for action script execution
  hostapd_cli: Use more robust mechanism for action script execution

  These patches are available from http://w1.fi/security/2014-1/

- Disable use of wpa_cli/hostapd_cli command to run action scripts
  (this may prevent functionality)



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2014-10-10 18:57:54 UTC
This is fixed in 2.3 - I have bumped wpa_supplicant to this version.

It needs to be stabilized on these archs before we can remove the old versions: amd64, arm, ppc, ppc64, x86
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-10-15 03:59:15 UTC
(In reply to Bjarke Istrup Pedersen from comment #1)
> This is fixed in 2.3 - I have bumped wpa_supplicant to this version.
> 
> It needs to be stabilized on these archs before we can remove the old
> versions: amd64, arm, ppc, ppc64, x86

are you ready for stabilization or need more testing?
Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2014-10-15 07:22:48 UTC
Lets go for stable - being able to remove the older versions would clean up a few things for both hostapd and wpa_supplicant.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 02:03:16 UTC
CVE-2014-3686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3686):
  wpa_supplicant and hostapd 0.7.2 through 2.2, when running with certain
  configurations and using wpa_cli or hostapd_cli with action scripts, allows
  remote attackers to execute arbitrary commands via a crafted frame.
Comment 5 charles17 2015-02-11 08:09:24 UTC
(In reply to Bjarke Istrup Pedersen from comment #3)
> Lets go for stable - being able to remove the older versions would clean up
> a few things for both hostapd and wpa_supplicant.

What's hampering stabilization? wpa_supplicant-2.3-r1 is in the tree since ages.
Comment 6 walt 2015-02-11 19:10:22 UTC
> What's hampering stabilization? wpa_supplicant-2.3-r1 is in the tree since
> ages.

FWIW, I just updated to 2.3-r2 and systemd will no longer actually start wpa_supplicant (though it tries and fails for unknown reasons).

I'm downgrading to 2.3, which seemed to work properly for me.  (2.3-r1 is no longer in portage AFAICT.)
Comment 7 walt 2015-02-11 20:06:34 UTC
(In reply to walt from comment #6)
 
> I'm downgrading to 2.3, which seemed to work properly for me.  (2.3-r1 is no
> longer in portage AFAICT.)

That didn't fix it, and neither did downgrading systemd to 218-r2, which also was updated yesterday.  I'll keep looking.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-03-20 23:31:22 UTC
Being stabilized bug Bug #543790
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-03-24 12:29:12 UTC
(In reply to Yury German from comment #8)
> Being stabilized bug Bug #543790

it seems we have to stabilize 2.4
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-04-04 15:39:17 UTC
The version: 2.4 is in the tree. Please advise when ready to go stable or call for stabilization yourself.
Comment 11 Ian Stakenvicius (RETIRED) gentoo-dev 2015-04-20 16:32:57 UTC
*** Bug 547162 has been marked as a duplicate of this bug. ***
Comment 12 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2015-04-21 09:08:09 UTC
Lets go with 2.4 now, so we can get this fixed.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 15:12:48 UTC
Arches, please test and mark stable:

=net-wireless/wpa_supplicant-2.4

Target Keywords : "amd64 arm ppc ppc64 x86"

Thank you!
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-23 05:51:08 UTC
Stable for PPC64.
Comment 15 Agostino Sarubbo gentoo-dev 2015-04-23 11:17:50 UTC
amd64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2015-04-23 11:18:32 UTC
x86 stable
Comment 17 Pacho Ramos gentoo-dev 2015-04-26 16:51:27 UTC
ppc stable
Comment 18 Rick Farina (Zero_Chaos) gentoo-dev 2015-04-27 18:27:10 UTC
target stable version has been changed to 2.4-r1 due to bug #547492
Comment 19 Rick Farina (Zero_Chaos) gentoo-dev 2015-04-27 18:29:29 UTC
arm stable

Security, please remove all older versions of wpa_supplicant when you are ready.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2015-04-27 21:15:41 UTC
Arches, Thank you for your work.

GLSA Vote: yes
Comment 21 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-04-28 08:07:08 UTC
+  28 Apr 2015; Mikle Kolyada <zlogene@gentoo.org> -wpa_supplicant-2.0-r2.ebuild,
+  -wpa_supplicant-2.2-r1.ebuild:
+  Drop unsecure versions
+
Comment 22 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-04-30 18:59:40 UTC
GLSA Vote: Yes

New request filed
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2016-06-27 10:35:38 UTC
This issue was resolved and addressed in
 GLSA 201606-17 at https://security.gentoo.org/glsa/201606-17
by GLSA coordinator Aaron Bauman (b-man).