Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue,  3 May 2016 01:29:28 -0400 (EDT)
From: cve-assign@...re.org
To: j@...fi
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: hostapd/wpa_supplicant - psk configuration parameter update allowing arbitrary data to be written

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Identifier: related to CVE-2016-2447

We understand the existence of the CVE-2016-2447 ID in
http://source.android.com/security/bulletin/2016-05-01.html and that
the reports credit Imre Rad; however, there are different exploitation
scenarios that affect different versions from the perspective of
hostapd/wpa_supplicant, and thus it is probably simplest for most
people to have separate hostapd/wpa_supplicant CVE IDs.

> WPA/WPA2 passphrase parameter ... to include control characters

> The WPS trigger for this requires local user action to authorize the WPS
> operation in which a new configuration would be received. The attacker
> would also need to be in radio range of the device or have access to the
> IP network to act as a WPS External Registrar. Such an attack could
> result in denial of service by not allowing hostapd or wpa_supplicant to
> start after they have been stopped.
> 
> wpa_supplicant v0.6.7-v2.5 with CONFIG_WPS build option enabled
> hostapd v0.6.7-v2.5 with CONFIG_WPS build option enabled

Use CVE-2016-4476.


> The local configuration update through the control interface SET_NETWORK
> command could allow privilege escalation for the local user to run code
> from a locally stored library file
>
> ... SET_CRED or SET commands, similar issue ...
> 
> wpa_supplicant v0.4.0-v2.5 with control interface enabled

Use CVE-2016-4477.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXKDatAAoJEHb/MwWLVhi2mqQQALY+roiB6xee2Ux/cpcPcVC0
jOTKd+hEVHKojwM0C0740Og5ruVwQnSF8L4ggrcSIlRw+rLa2zvyCz56HFLaO7VK
UetNHBJej0XmLJBJBeg/BP+zZXLzym2ptjiQBW3FZorNoTE+baRxRUXGd14MSnOZ
7f00/E3omjRMm4+QutmiXL/iVARNYwdy2dYeeJfEFEw05l/YFjb/ozMjWIYvepEp
sxxtaxuSTPnMMlMfbhb/EvpvxnCTw6SZBbz1mA9i48ex3VT2VFmuRBiAZa56pptU
ghF4LeMhxmj2guc/G14To3VFc9Pj/Xd8qqMtk1E7n3Wg5ESd41ocFN6frav5MNDM
PoyemIa86Z86d/dxlAd7GLMBDSrKN3Sgk/ENbUNyCIdCsFWIX9FPvipigZliiO9X
KeMS5zAVqou8Cfq16VqtlsjIRq7cd0JwRWqzI3AvhMCyZz1FBVaQAe002grrs+TS
60ozbevL9AbtaCYvMIS4zE5kQAvbpPz6MWrwJMcv5NFbWLTB1+iHBkd9AB3N7Q4u
ba/fY8RB244bmu37+vgSunkamEmRHLoGx8byUTUXtKP0Yc0lFvartdRjQncS2qlZ
bzYhvTlR8QOJMgE+7Qf6aQhG0kwOMOrWN6IdIUGo8I5tTscZ+wtlICfiaH2/kEcw
RBngwj4bI80CX0bZT6gV
=f9JF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ