oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: hostapd/wpa_supplicant - psk configuration parameter update allowing arbitrary data to be written

From: cve-assign () mitre org
Date: Tue, 3 May 2016 01:29:28 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Identifier: related to CVE-2016-2447


We understand the existence of the CVE-2016-2447 ID in
http://source.android.com/security/bulletin/2016-05-01.html and that
the reports credit Imre Rad; however, there are different exploitation
scenarios that affect different versions from the perspective of
hostapd/wpa_supplicant, and thus it is probably simplest for most
people to have separate hostapd/wpa_supplicant CVE IDs.


WPA/WPA2 passphrase parameter ... to include control characters



The WPS trigger for this requires local user action to authorize the WPS
operation in which a new configuration would be received. The attacker
would also need to be in radio range of the device or have access to the
IP network to act as a WPS External Registrar. Such an attack could
result in denial of service by not allowing hostapd or wpa_supplicant to
start after they have been stopped.

wpa_supplicant v0.6.7-v2.5 with CONFIG_WPS build option enabled
hostapd v0.6.7-v2.5 with CONFIG_WPS build option enabled


Use CVE-2016-4476.



The local configuration update through the control interface SET_NETWORK
command could allow privilege escalation for the local user to run code
from a locally stored library file

... SET_CRED or SET commands, similar issue ...

wpa_supplicant v0.4.0-v2.5 with control interface enabled


Use CVE-2016-4477.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXKDatAAoJEHb/MwWLVhi2mqQQALY+roiB6xee2Ux/cpcPcVC0
jOTKd+hEVHKojwM0C0740Og5ruVwQnSF8L4ggrcSIlRw+rLa2zvyCz56HFLaO7VK
UetNHBJej0XmLJBJBeg/BP+zZXLzym2ptjiQBW3FZorNoTE+baRxRUXGd14MSnOZ
7f00/E3omjRMm4+QutmiXL/iVARNYwdy2dYeeJfEFEw05l/YFjb/ozMjWIYvepEp
sxxtaxuSTPnMMlMfbhb/EvpvxnCTw6SZBbz1mA9i48ex3VT2VFmuRBiAZa56pptU
ghF4LeMhxmj2guc/G14To3VFc9Pj/Xd8qqMtk1E7n3Wg5ESd41ocFN6frav5MNDM
PoyemIa86Z86d/dxlAd7GLMBDSrKN3Sgk/ENbUNyCIdCsFWIX9FPvipigZliiO9X
KeMS5zAVqou8Cfq16VqtlsjIRq7cd0JwRWqzI3AvhMCyZz1FBVaQAe002grrs+TS
60ozbevL9AbtaCYvMIS4zE5kQAvbpPz6MWrwJMcv5NFbWLTB1+iHBkd9AB3N7Q4u
ba/fY8RB244bmu37+vgSunkamEmRHLoGx8byUTUXtKP0Yc0lFvartdRjQncS2qlZ
bzYhvTlR8QOJMgE+7Qf6aQhG0kwOMOrWN6IdIUGo8I5tTscZ+wtlICfiaH2/kEcw
RBngwj4bI80CX0bZT6gV
=f9JF
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: