From ${URL} : Published: October 9, 2014 Identifier: CVE-2014-3686 Latest version available from: http://w1.fi/security/2014-1/ Vulnerability A vulnerability was found in the mechanism wpa_cli and hostapd_cli use for executing action scripts. An unsanitized string received from a remote device can be passed to a system() call resulting in arbitrary command execution under the privileges of the wpa_cli/hostapd_cli process (which may be root or at least network admin in common use cases). Vulnerable versions/configurations wpa_cli is a component distributed with wpa_supplicant and hostapd_cli is a component distributed with hostapd. The vulnerability affects only cases where wpa_cli or hostapd_cli is used to run action scripts (-a command line option) and one (or more) of the following build combinations for wpa_supplicant/hostapd is used: wpa_supplicant v1.0-v2.2 with CONFIG_P2P build option enabled and connecting to a P2P group wpa_supplicant v2.1-v2.2 with CONFIG_WNM build option enabled wpa_supplicant v2.2 with CONFIG_HS20 build option enabled wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option enabled and operating as WPS Registrar hostapd v0.7.2-v2.2 with CONFIG_WPS build option enabled and WPS enabled in runtime configuration wpa_supplicant and hostapd processes are not directly affected, i.e., the vulnerability occurs in the wpa_cli/hostapd process based on information received from wpa_supplicant/hostapd. Attacker (or a system controlled by the attacker) needs to be within radio range of the vulnerable system to send a frame that triggers a suitable formatted event message to allow full control on command execution. Possible mitigation steps - Update to wpa_cli/hostapd_cli from wpa_supplicant/hostapd v2.3 - Merge the following commits to an older version of wpa_cli/hostapd_cli and rebuild it: Add os_exec() helper to run external programs wpa_cli: Use os_exec() for action script execution hostapd_cli: Use more robust mechanism for action script execution These patches are available from http://w1.fi/security/2014-1/ - Disable use of wpa_cli/hostapd_cli command to run action scripts (this may prevent functionality) @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This is fixed in 2.3 - I have bumped wpa_supplicant to this version. It needs to be stabilized on these archs before we can remove the old versions: amd64, arm, ppc, ppc64, x86
(In reply to Bjarke Istrup Pedersen from comment #1) > This is fixed in 2.3 - I have bumped wpa_supplicant to this version. > > It needs to be stabilized on these archs before we can remove the old > versions: amd64, arm, ppc, ppc64, x86 are you ready for stabilization or need more testing?
Lets go for stable - being able to remove the older versions would clean up a few things for both hostapd and wpa_supplicant.
CVE-2014-3686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3686): wpa_supplicant and hostapd 0.7.2 through 2.2, when running with certain configurations and using wpa_cli or hostapd_cli with action scripts, allows remote attackers to execute arbitrary commands via a crafted frame.
(In reply to Bjarke Istrup Pedersen from comment #3) > Lets go for stable - being able to remove the older versions would clean up > a few things for both hostapd and wpa_supplicant. What's hampering stabilization? wpa_supplicant-2.3-r1 is in the tree since ages.
> What's hampering stabilization? wpa_supplicant-2.3-r1 is in the tree since > ages. FWIW, I just updated to 2.3-r2 and systemd will no longer actually start wpa_supplicant (though it tries and fails for unknown reasons). I'm downgrading to 2.3, which seemed to work properly for me. (2.3-r1 is no longer in portage AFAICT.)
(In reply to walt from comment #6) > I'm downgrading to 2.3, which seemed to work properly for me. (2.3-r1 is no > longer in portage AFAICT.) That didn't fix it, and neither did downgrading systemd to 218-r2, which also was updated yesterday. I'll keep looking.
Being stabilized bug Bug #543790
(In reply to Yury German from comment #8) > Being stabilized bug Bug #543790 it seems we have to stabilize 2.4
The version: 2.4 is in the tree. Please advise when ready to go stable or call for stabilization yourself.
*** Bug 547162 has been marked as a duplicate of this bug. ***
Lets go with 2.4 now, so we can get this fixed.
Arches, please test and mark stable: =net-wireless/wpa_supplicant-2.4 Target Keywords : "amd64 arm ppc ppc64 x86" Thank you!
Stable for PPC64.
amd64 stable
x86 stable
ppc stable
target stable version has been changed to 2.4-r1 due to bug #547492
arm stable Security, please remove all older versions of wpa_supplicant when you are ready.
Arches, Thank you for your work. GLSA Vote: yes
+ 28 Apr 2015; Mikle Kolyada <zlogene@gentoo.org> -wpa_supplicant-2.0-r2.ebuild, + -wpa_supplicant-2.2-r1.ebuild: + Drop unsecure versions +
GLSA Vote: Yes New request filed
This issue was resolved and addressed in GLSA 201606-17 at https://security.gentoo.org/glsa/201606-17 by GLSA coordinator Aaron Bauman (b-man).
