Bug 14262 - wpa_supplicant, hostapd new security issue CVE-2014-3686
Summary: wpa_supplicant, hostapd new security issue CVE-2014-3686
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/616270/
Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok MGA4-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-10-09 23:11 CEST by David Walser
Modified: 2014-10-28 12:34 CET (History)
5 users (show)

See Also:
Source RPM: wpa_supplicant, hostapd
CVE:
Status comment:


Attachments

Description David Walser 2014-10-09 23:11:35 CEST
A security issue has been announced today (October 9):
http://openwall.com/lists/oss-security/2014/10/09/28
http://w1.fi/security/2014-1/wpacli-action-scripts.txt

The issue is fixed upstream in version 2.3.

I've commited it in Cauldron SVN and requested a freeze push.

There are also patches available here:
http://w1.fi/security/2014-1/

Our hostapd package isn't currently vulnerable as WPS isn't enabled, but someone could have an issue if they enabled it and rebuilt it themselves.  Our wpa_supplicant package does have it enabled and is vulnerable.

Mageia 3 and Mageia 4 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-09 23:11:41 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-10-09 23:34:16 CEST
Patches checked into Mageia 3 and Mageia 4 SVN.
Comment 2 David Walser 2014-10-09 23:56:21 CEST
Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated wpa_supplicant and hostapd packages fix security vulnerability:

A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
for executing action scripts. An unsanitized string received from a
remote device can be passed to a system() call resulting in arbitrary
command execution under the privileges of the wpa_cli/hostapd_cli
process (which may be root in common use cases) (CVE-2014-3686).

Using the Mageia wpa_supplicant package, systems are exposed to the
vulnerability if operating as a WPS registrar.

The Mageia hostapd package was not vulnerable with the configuration with
which it was built, but if a sysadmin had rebuilt it with WPS enabled, it
would be vulnerable.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686
http://w1.fi/security/2014-1/wpacli-action-scripts.txt
========================

Updated packages in core/updates_testing:
========================
wpa_supplicant-1.1-4.1.mga3
wpa_supplicant-gui-1.1-4.1.mga3
hostapd-1.1-2.1.mga3
wpa_supplicant-2.0-2.1.mga4
wpa_supplicant-gui-2.0-2.1.mga4
hostapd-2.0-2.1.mga4

from SRPMS:
wpa_supplicant-1.1-4.1.mga3.src.rpm
hostapd-1.1-2.1.mga3.src.rpm
wpa_supplicant-2.0-2.1.mga4.src.rpm
hostapd-2.0-2.1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Len Lawrence 2014-10-11 18:30:35 CEST
wpa_supplicant-2.0-2.1.mga4 from core updates testing
Installed these afterwards from core updates testing
wpa_supplicant-gui-2.0-2.1.mga4
hostapd-2.0-2.1.mga4
The latter pulled in lib64nl1 from core release.

Invoked wpa_gui to try to get some clue about what to do.  Looks like a network manager but have no idea where to go with that and it may not be relevant given that the advisory points to the *_cli as being vulnerable.

Will look at the link posted above to see what action scripts are.

CC: (none) => tarazed25

David Walser 2014-10-13 23:44:20 CEST

Severity: normal => critical

Comment 4 David Walser 2014-10-15 19:16:58 CEST
Ubuntu has issued an advisory for this on October 14:
http://www.ubuntu.com/usn/usn-2383-1/

URL: (none) => http://lwn.net/Vulnerabilities/616270/

Comment 5 Bill Wilkinson 2014-10-23 22:56:20 CEST
Tested general use, mga4-64.  Installed update, rebooted system.  Wifi with wpa/wpa2 encryption started normally.

CC: (none) => wrw105
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Comment 6 Bill Wilkinson 2014-10-23 23:06:10 CEST
Tested mga3-64 as above.  wifi started normally.

I don't have a 32-bit install with wifi, so I'll leave that to someone else to test.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga3-64-ok

Comment 7 olivier charles 2014-10-23 23:41:04 CEST
Testing on Mageia4-32 (as advised by Claire Robinson, disabled networkmanager service, rebooted, otherwise I was not able to connect through wifi)

With current packages :
---------------------

wpa_supplicant-2.0-2.mga4
wpa_supplicant-gui 2.0.-2.mga4

Could connect through encrypted and non-encrypted wifi.

wpa_gui (run as root) showed :
- on non-encrypted
Authentification : NONE
Encryption : NONE

- on encrypted
Authentification : WPA-PSK
Encryption : CCMP + TKIP


With update-testing :
-------------------

wpa_supplicant-2.0-2.1.mga4
wpa_supplicant-gui-2.0-2.1.mga4
+ reboot

Could connect through encrypted and non-encrypted wifi.
wpa_gui verified ok as before.

Works goog

CC: (none) => olchal
Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok => MGA3TOO mga4-64-ok mga3-64-ok MGA4-32-OK

Comment 8 Rémi Verschelde 2014-10-24 19:23:51 CEST
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok MGA4-32-OK => MGA3TOO mga4-64-ok mga3-64-ok MGA4-32-OK advisory

Comment 9 claire robinson 2014-10-27 15:47:42 CET
Validating.

Could sysadmin please push to 3 & 4 updates

Thanks.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2014-10-28 12:34:14 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0429.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.