EAP-pwd last fragment validation (CVE-2015-5314) A vulnerability was found in EAP-pwd server and peer implementation used in hostapd and wpa_supplicant, respectively. When an incoming EAP-pwd message is fragmented, the remaining reassembly buffer length was not checked for the last fragment (but was checked for other fragments). This allowed a suitably constructed last fragment frame to try to add extra data that would go beyond the buffer. The length validation code in wpabuf_put_data() prevents an actual buffer write overflow from occurring, but this results in process termination. For hostapd used with an internal EAP server and EAP-pwd enabled in the runtime configuration, this could allow a denial of service attack by an attacker within radio range of the AP device. For hostapd used as a RADIUS server with EAP-pwd enabled in the runtime configuration, this could allow a denial of service attack by an attacker within radio range of any AP device that is authorized to use the RADIUS server. For wpa_supplicant with EAP-pwd enabled in a network configuration profile, this could allow a denial of service attack by an attacker within radio range. Vulnerable versions/configurations hostapd v2.0-v2.5 with CONFIG_EAP_PWD=y in the build configuration (hostapd/.config) and EAP-pwd authentication server enabled in runtime configuration. wpa_supplicant v2.0-v2.5 with CONFIG_EAP_PWD=y in the build configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network profile at runtime. http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt WPS configuration update vulnerability with malformed passphrase (CVE-2016-4476) A vulnerability was found in how hostapd and wpa_supplicant writes the configuration file update for the WPA/WPA2 passphrase parameter. If this parameter has been updated to include control characters either through a WPS operation (CVE-2016-4476) or through local configuration change over the wpa_supplicant control interface (CVE-2016-4477), the resulting configuration file may prevent the hostapd and wpa_supplicant from starting when the updated file is used. In addition for wpa_supplicant, it may be possible to load a local library file and execute code from there with the same privileges under which the wpa_supplicant process runs. The WPS trigger for this requires local user action to authorize the WPS operation in which a new configuration would be received. The attacker would also need to be in radio range of the device or have access to the IP network to act as a WPS External Registrar. Such an attack could result in denial of service by not allowing hostapd or wpa_supplicant to start after they have been stopped. The local configuration update through the control interface SET_NETWORK command could allow privilege escalation for the local user to run code from a locally stored library file under the same privileges as the wpa_supplicant process has. The assumption here is that a not fully trusted user/application might have access through a connection manager to set network profile parameters like psk, but would not have access to set other configuration file parameters. If the connection manager in such a case does not filter out control characters from the psk value, it could have been possible to practically update the global parameters by embedding a newline character within the psk value. In addition, the untrusted user/application would need to be able to install a library file somewhere on the device from where the wpa_supplicant process has privileges to load the library. Similarly to the SET_NETWORK case, if a connection manager exposes access to the SET_CRED or SET commands, similar issue with newline characters can exist as those commands do not filter out control characters from the value. It should also be noted that providing unlimited access to the wpa_supplicant control interface would allow arbitrary SET commands to be issued. Such unlimited access should not be provided to untrusted users/applications. Vulnerable versions/configurations For the local control interface attack vector (CVE-2016-4477): wpa_supplicant v0.4.0-v2.5 with control interface enabled update_config=1 must have been enabled in the configuration file. For the WPS attack vector (CVE-2016-4476): wpa_supplicant v0.6.7-v2.5 with CONFIG_WPS build option enabled hostapd v0.6.7-v2.5 with CONFIG_WPS build option enabled WPS needs to be enabled in the runtime operation and the WPS operation needs to have been authorized by the local user over the control interface. For wpa_supplicant, update_config=1 must have been enabled in the configuration file. http://w1.fi/security/2016-1/psk-parameter-config-update.txt
@ maintainer(s): Upstream has released v2.6 which contains fixes for the reported vulnerabilities. After the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Bumped, please stabilize and then remove the old version.
@ Maintainer: Thank you for your work! @ Arches, please test and mark stable: =net-wireless/hostapd-2.6 Stable targets: amd64 ppc x86
amd64 stable
x86 stable
CVE-2016-4476 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4476): hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation.
ppc stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebe1113981b3c4e418a8ebfbee03bc15f017f4e3
