Lucene search

K
osvGoogleOSV:DLA-473-1
HistoryMay 14, 2016 - 12:00 a.m.

wpa - security update

2016-05-1400:00:00
Google
osv.dev
14

EPSS

0.002

Percentile

61.5%

A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If
this parameter has been updated to include control characters either
through a WPS operation (CVE-2016-4476)
or through local configuration
change over the wpa_supplicant control interface (CVE-2016-4477), the
resulting configuration file may prevent the hostapd and
wpa_supplicant from starting when the updated file is used. In
addition for wpa_supplicant, it may be possible to load a local
library file and execute code from there with the same privileges
under which the wpa_supplicant process runs.

  • CVE-2016-4476
    hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do
    not reject \n and \r characters in passphrase parameters, which
    allows remote attackers to cause a denial of service (daemon
    outage) via a crafted WPS operation.
  • CVE-2016-4477
    wpa_supplicant 0.4.0 through 2.5 does not reject \n and \r
    characters in passphrase parameters, which allows local users to
    trigger arbitrary library loading and consequently gain privileges,
    or cause a denial of service (daemon outage), via a crafted (1)
    SET, (2) SET_CRED, or (3) SET_NETWORK command.

For Debian 7 Wheezy, these problems have been fixed in version
1.0-3+deb7u4.

We recommend that you upgrade your wpa packages.