CVE-2016-4477

Source
Severity High
Remote No
Type Privilege escalation
Description
The local configuration update through the control interface SET_NETWORK command could allow privilege escalation for the local user to run code from a locally stored library file under the same privileges as the wpa_supplicant process has. The assumption here is that a not fully trusted user/application might have access through a connection manager to set network profile parameters like psk, but would not have access to set other configuration file parameters. If the connection manager in such a case does not filter out control characters from the psk value, it could have been possible to practically update the global parameters by embedding a newline character within the psk value. In addition, the untrusted user/application would need to be able to install a library file somewhere on the device from where the wpa_supplicant process has privileges to load the library.
Group Package Affected Fixed Severity Status Ticket
AVG-10 hostapd 2.5-2 2.6-1 High Fixed FS#49196
AVG-11 wpa_supplicant 1:2.5-3 1:2.6-1 High Fixed FS#49196
Date Advisory Group Package Severity Description
08 Oct 2016 ASA-201610-7 AVG-11 wpa_supplicant High multiple issues
04 Oct 2016 ASA-201610-3 AVG-10 hostapd High multiple issues
References
http://www.openwall.com/lists/oss-security/2016/05/03/2