Lucene search

K
archlinuxArchLinuxASA-201610-3
HistoryOct 04, 2016 - 12:00 a.m.

[ASA-201610-3] hostapd: multiple issues

2016-10-0400:00:00
security.archlinux.org
27

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

61.5%

Arch Linux Security Advisory ASA-201610-3

Severity: High
Date : 2016-10-04
CVE-ID : CVE-2016-4476 CVE-2016-4477
Package : hostapd
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE

Summary

The package hostapd before version 2.6-1 is vulnerable to multiple
issues including privilege escalation and denial of service.

Resolution

Upgrade to 2.6-1.

pacman -Syu β€œhostapd>=2.6-1”

The problems have been fixed upstream in version 2.6.

Workaround

None.

Description

  • CVE-2016-4476 (denial of service)

A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If
this parameter has been updated to include control characters either
through a WPS operation or through local configuration change over the
wpa_supplicant control interface, the resulting configuration file may
prevent the hostapd and wpa_supplicant from starting when the updated
file is used.

  • CVE-2016-4477 (privilege escalation)

The local configuration update through the control interface
SET_NETWORK command could allow privilege escalation for the local user
to run code from a locally stored library file under the same
privileges as the wpa_supplicant process has. The assumption here is
that a not fully trusted user/application might have access through a
connection manager to set network profile parameters like psk, but
would not have access to set other configuration file parameters. If
the connection manager in such a case does not filter out control
characters from the psk value, it could have been possible to
practically update the global parameters by embedding a newline
character within the psk value. In addition, the untrusted
user/application would need to be able to install a library file
somewhere on the device from where the wpa_supplicant process has
privileges to load the library.

Impact

A remote attacker is able to perform a denial of service attack that
prevents hostapd from starting. Furthermore a local attacker is able to
elevate privileges by a local configuration update under certain
circumstances.

References

http://www.openwall.com/lists/oss-security/2016/05/03/2
https://w1.fi/security/2016-1/psk-parameter-config-update.txt
https://access.redhat.com/security/cve/CVE-2016-4476
https://access.redhat.com/security/cve/CVE-2016-4477

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyhostapd<Β 2.6-1UNKNOWN

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

61.5%