ASA-201610-7 log original external raw

[ASA-201610-7] wpa_supplicant: multiple issues
Arch Linux Security Advisory ASA-201610-7 ========================================= Severity: High Date : 2016-10-08 CVE-ID : CVE-2016-4476 CVE-2016-4477 Package : wpa_supplicant Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-11 Summary ======= The package wpa_supplicant before version 1:2.6-1 is vulnerable to multiple issues including privilege escalation and denial of service. Resolution ========== Upgrade to 1:2.6-1. # pacman -Syu "wpa_supplicant>=1:2.6-1" The problems have been fixed upstream in version 2.6. Workaround ========== None. Description =========== - CVE-2016-4476 (denial of service) A vulnerability was found in how hostapd and wpa_supplicant writes the configuration file update for the WPA/WPA2 passphrase parameter. If this parameter has been updated to include control characters either through a WPS operation or through local configuration change over the wpa_supplicant control interface, the resulting configuration file may prevent the hostapd and wpa_supplicant from starting when the updated file is used. - CVE-2016-4477 (privilege escalation) The local configuration update through the control interface SET_NETWORK command could allow privilege escalation for the local user to run code from a locally stored library file under the same privileges as the wpa_supplicant process has. The assumption here is that a not fully trusted user/application might have access through a connection manager to set network profile parameters like psk, but would not have access to set other configuration file parameters. If the connection manager in such a case does not filter out control characters from the psk value, it could have been possible to practically update the global parameters by embedding a newline character within the psk value. In addition, the untrusted user/application would need to be able to install a library file somewhere on the device from where the wpa_supplicant process has privileges to load the library. Impact ====== A remote attacker is able to perform a denial of service attack that prevents hostapd from starting. Furthermore a local attacker is able to elevate privileges by a local configuration update under certain circumstances. References ========== https://bugs.archlinux.org/task/49196 http://www.openwall.com/lists/oss-security/2016/05/03/2 https://security.archlinux.org/CVE-2016-4476 https://security.archlinux.org/CVE-2016-4477