wpa_cli and hostapd_cli action script execution vulnerability
Jouni Malinen
j at w1.fi
Thu Oct 9 15:07:12 EDT 2014
Published: October 9, 2014
Identifier: CVE-2014-3686
Latest version available from: http://w1.fi/security/2014-1/
Vulnerability
A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
for executing action scripts. An unsanitized string received from a
remote device can be passed to a system() call resulting in arbitrary
command execution under the privileges of the wpa_cli/hostapd_cli
process (which may be root or at least network admin in common use
cases).
Vulnerable versions/configurations
wpa_cli is a component distributed with wpa_supplicant and hostapd_cli
is a component distributed with hostapd. The vulnerability affects only
cases where wpa_cli or hostapd_cli is used to run action scripts (-a
command line option) and one (or more) of the following build
combinations for wpa_supplicant/hostapd is used:
wpa_supplicant v1.0-v2.2 with CONFIG_P2P build option enabled and
connecting to a P2P group
wpa_supplicant v2.1-v2.2 with CONFIG_WNM build option enabled
wpa_supplicant v2.2 with CONFIG_HS20 build option enabled
wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option enabled and
operating as WPS Registrar
hostapd v0.7.2-v2.2 with CONFIG_WPS build option enabled and WPS enabled
in runtime configuration
wpa_supplicant and hostapd processes are not directly affected, i.e.,
the vulnerability occurs in the wpa_cli/hostapd process based on
information received from wpa_supplicant/hostapd.
Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a frame that triggers a
suitable formatted event message to allow full control on command
execution.
Possible mitigation steps
- Update to wpa_cli/hostapd_cli from wpa_supplicant/hostapd v2.3
- Merge the following commits to an older version of wpa_cli/hostapd_cli
and rebuild it:
Add os_exec() helper to run external programs
wpa_cli: Use os_exec() for action script execution
hostapd_cli: Use more robust mechanism for action script execution
These patches are available from http://w1.fi/security/2014-1/
- Disable use of wpa_cli/hostapd_cli command to run action scripts
(this may prevent functionality)
--
Jouni Malinen PGP id EFC895FA
More information about the HostAP
mailing list