On 21/07/16 11:42, Andrew Shadura wrote: > On 21/07/16 11:37, Andrew Shadura wrote: >> On 21/07/16 11:32, Adam D. Barratt wrote: >>>> I realise that none of the above are actually enabled in >>>> debian/patches/series, but that makes it even more confusing that >>>> they're in the diff. Please prepare and test a package that contains >>>> only the changes relating to fixing CVE-2016-4476 and CVE-2016-4477 and >>>> provide a debdiff of that.
I have redone the package, tested it and generated a debdiff. -- Cheers, Andrew
diff -Nru wpa-2.3/debian/changelog wpa-2.3/debian/changelog --- wpa-2.3/debian/changelog 2015-11-07 16:07:28.000000000 +0100 +++ wpa-2.3/debian/changelog 2016-07-21 11:42:28.000000000 +0200 @@ -1,3 +1,17 @@ +wpa (2.3-1+deb8u4) jessie-security; urgency=medium + + * Non-maintainer upload. + * Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to + Salvatore Bonaccorso <car...@debian.org> (Closes: #823411): + - WPS: Reject a Credential with invalid passphrase + - Reject psk parameter set with invalid passphrase character + - Remove newlines from wpa_supplicant config network output + - Reject SET_CRED commands with newline characters in the string values + - Reject SET commands with newline characters in the string values + * Refresh patches to apply cleanly. + + -- Andrew Shadura <andre...@debian.org> Thu, 21 Jul 2016 09:01:51 +0200 + wpa (2.3-1+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru wpa-2.3/debian/patches/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch wpa-2.3/debian/patches/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch --- wpa-2.3/debian/patches/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 2015-11-07 16:07:28.000000000 +0100 +++ wpa-2.3/debian/patches/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 2016-07-21 11:42:28.000000000 +0200 @@ -25,7 +25,7 @@ index f2b0926..a629437 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c -@@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, +@@ -301,6 +301,23 @@ BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL; u16 offset; u8 *ptr, *scalar = NULL, *element = NULL; @@ -49,7 +49,7 @@ if (((data->private_value = BN_new()) == NULL) || ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) || -@@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, +@@ -500,6 +517,18 @@ u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; int offset; diff -Nru wpa-2.3/debian/patches/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch wpa-2.3/debian/patches/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch --- wpa-2.3/debian/patches/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 2015-11-07 16:07:28.000000000 +0100 +++ wpa-2.3/debian/patches/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 2016-07-21 11:42:28.000000000 +0200 @@ -25,7 +25,7 @@ index 66bd5d2..3189105 100644 --- a/src/eap_server/eap_server_pwd.c +++ b/src/eap_server/eap_server_pwd.c -@@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, +@@ -634,9 +634,21 @@ BIGNUM *x = NULL, *y = NULL, *cofactor = NULL; EC_POINT *K = NULL, *point = NULL; int res = 0; @@ -47,7 +47,7 @@ if (((data->peer_scalar = BN_new()) == NULL) || ((data->k = BN_new()) == NULL) || ((cofactor = BN_new()) == NULL) || -@@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, +@@ -752,6 +764,13 @@ u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; int offset; diff -Nru wpa-2.3/debian/patches/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch wpa-2.3/debian/patches/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch --- wpa-2.3/debian/patches/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 2015-11-07 16:07:28.000000000 +0100 +++ wpa-2.3/debian/patches/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 2016-07-21 11:42:28.000000000 +0200 @@ -23,7 +23,7 @@ index a629437..1d2079b 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c -@@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, +@@ -812,11 +812,23 @@ * if it's the first fragment there'll be a length field */ if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { diff -Nru wpa-2.3/debian/patches/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch wpa-2.3/debian/patches/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch --- wpa-2.3/debian/patches/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 2015-11-07 16:07:28.000000000 +0100 +++ wpa-2.3/debian/patches/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 2016-07-21 11:42:28.000000000 +0200 @@ -23,7 +23,7 @@ index 3189105..2bfc3c2 100644 --- a/src/eap_server/eap_server_pwd.c +++ b/src/eap_server/eap_server_pwd.c -@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, +@@ -920,11 +920,21 @@ * the first fragment has a total length */ if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { diff -Nru wpa-2.3/debian/patches/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch wpa-2.3/debian/patches/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch --- wpa-2.3/debian/patches/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch 2015-11-07 16:07:28.000000000 +0100 +++ wpa-2.3/debian/patches/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch 2016-07-21 11:42:28.000000000 +0200 @@ -19,7 +19,7 @@ index 1d2079b..e58b13a 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c -@@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, +@@ -914,6 +914,7 @@ /* * we have output! Do we need to fragment it? */ diff -Nru wpa-2.3/debian/patches/2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch wpa-2.3/debian/patches/2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch --- wpa-2.3/debian/patches/2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch 1970-01-01 01:00:00.000000000 +0100 +++ wpa-2.3/debian/patches/2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch 2016-07-21 11:42:28.000000000 +0200 @@ -0,0 +1,73 @@ +From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jo...@qca.qualcomm.com> +Date: Fri, 4 Mar 2016 17:20:18 +0200 +Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase + +WPA/WPA2-Personal passphrase is not allowed to include control +characters. Reject a Credential received from a WPS Registrar both as +STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or +WPA2PSK authentication type and includes an invalid passphrase. + +This fixes an issue where hostapd or wpa_supplicant could have updated +the configuration file PSK/passphrase parameter with arbitrary data from +an external device (Registrar) that may not be fully trusted. Should +such data include a newline character, the resulting configuration file +could become invalid and fail to be parsed. + +Signed-off-by: Jouni Malinen <jo...@qca.qualcomm.com> +--- + src/utils/common.c | 12 ++++++++++++ + src/utils/common.h | 1 + + src/wps/wps_attr_process.c | 10 ++++++++++ + 3 files changed, 23 insertions(+) + +--- a/src/utils/common.c ++++ b/src/utils/common.c +@@ -593,6 +593,18 @@ int find_first_bit(u32 value) + } + + ++int has_ctrl_char(const u8 *data, size_t len) ++{ ++ size_t i; ++ ++ for (i = 0; i < len; i++) { ++ if (data[i] < 32 || data[i] == 127) ++ return 1; ++ } ++ return 0; ++} ++ ++ + size_t merge_byte_arrays(u8 *res, size_t res_len, + const u8 *src1, size_t src1_len, + const u8 *src2, size_t src2_len) +--- a/src/utils/common.h ++++ b/src/utils/common.h +@@ -493,6 +493,7 @@ const char * wpa_ssid_txt(const u8 *ssid + + char * wpa_config_parse_string(const char *value, size_t *len); + int is_hex(const u8 *data, size_t len); ++int has_ctrl_char(const u8 *data, size_t len); + int find_first_bit(u32 value); + size_t merge_byte_arrays(u8 *res, size_t res_len, + const u8 *src1, size_t src1_len, +--- a/src/wps/wps_attr_process.c ++++ b/src/wps/wps_attr_process.c +@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struc + cred->key_len--; + #endif /* CONFIG_WPS_STRICT */ + } ++ ++ ++ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) && ++ (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) { ++ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase"); ++ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key", ++ cred->key, cred->key_len); ++ return -1; ++ } ++ + return 0; + } + diff -Nru wpa-2.3/debian/patches/2016-1/0002-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch wpa-2.3/debian/patches/2016-1/0002-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch --- wpa-2.3/debian/patches/2016-1/0002-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch 1970-01-01 01:00:00.000000000 +0100 +++ wpa-2.3/debian/patches/2016-1/0002-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch 2016-07-21 11:42:28.000000000 +0200 @@ -0,0 +1,46 @@ +From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jo...@qca.qualcomm.com> +Date: Fri, 4 Mar 2016 18:46:41 +0200 +Subject: [PATCH 2/5] Reject psk parameter set with invalid passphrase + character + +WPA/WPA2-Personal passphrase is not allowed to include control +characters. Reject a passphrase configuration attempt if that passphrase +includes an invalid passphrase. + +This fixes an issue where wpa_supplicant could have updated the +configuration file psk parameter with arbitrary data from the control +interface or D-Bus interface. While those interfaces are supposed to be +accessible only for trusted users/applications, it may be possible that +an untrusted user has access to a management software component that +does not validate the passphrase value before passing it to +wpa_supplicant. + +This could allow such an untrusted user to inject up to 63 characters of +almost arbitrary data into the configuration file. Such configuration +file could result in wpa_supplicant trying to load a library (e.g., +opensc_engine_path, pkcs11_engine_path, pkcs11_module_path, +load_dynamic_eap) from user controlled location when starting again. +This would allow code from that library to be executed under the +wpa_supplicant process privileges. + +Signed-off-by: Jouni Malinen <jo...@qca.qualcomm.com> +--- + wpa_supplicant/config.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/wpa_supplicant/config.c ++++ b/wpa_supplicant/config.c +@@ -318,6 +318,12 @@ static int wpa_config_parse_psk(const st + } + wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)", + (u8 *) value, len); ++ if (has_ctrl_char((u8 *) value, len)) { ++ wpa_printf(MSG_ERROR, ++ "Line %d: Invalid passphrase character", ++ line); ++ return -1; ++ } + if (ssid->passphrase && os_strlen(ssid->passphrase) == len && + os_memcmp(ssid->passphrase, value, len) == 0) + return 0; diff -Nru wpa-2.3/debian/patches/2016-1/0003-Remove-newlines-from-wpa_supplicant-config-network-o.patch wpa-2.3/debian/patches/2016-1/0003-Remove-newlines-from-wpa_supplicant-config-network-o.patch --- wpa-2.3/debian/patches/2016-1/0003-Remove-newlines-from-wpa_supplicant-config-network-o.patch 1970-01-01 01:00:00.000000000 +0100 +++ wpa-2.3/debian/patches/2016-1/0003-Remove-newlines-from-wpa_supplicant-config-network-o.patch 2016-07-21 11:42:28.000000000 +0200 @@ -0,0 +1,73 @@ +From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001 +From: Paul Stewart <ps...@google.com> +Date: Thu, 3 Mar 2016 15:40:19 -0800 +Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network + output + +Spurious newlines output while writing the config file can corrupt the +wpa_supplicant configuration. Avoid writing these for the network block +parameters. This is a generic filter that cover cases that may not have +been explicitly addressed with a more specific commit to avoid control +characters in the psk parameter. + +Signed-off-by: Paul Stewart <ps...@google.com> +--- + src/utils/common.c | 11 +++++++++++ + src/utils/common.h | 1 + + wpa_supplicant/config.c | 15 +++++++++++++-- + 3 files changed, 25 insertions(+), 2 deletions(-) + +--- a/src/utils/common.c ++++ b/src/utils/common.c +@@ -605,6 +605,17 @@ int has_ctrl_char(const u8 *data, size_t + } + + ++int has_newline(const char *str) ++{ ++ while (*str) { ++ if (*str == '\n' || *str == '\r') ++ return 1; ++ str++; ++ } ++ return 0; ++} ++ ++ + size_t merge_byte_arrays(u8 *res, size_t res_len, + const u8 *src1, size_t src1_len, + const u8 *src2, size_t src2_len) +--- a/src/utils/common.h ++++ b/src/utils/common.h +@@ -494,6 +494,7 @@ const char * wpa_ssid_txt(const u8 *ssid + char * wpa_config_parse_string(const char *value, size_t *len); + int is_hex(const u8 *data, size_t len); + int has_ctrl_char(const u8 *data, size_t len); ++int has_newline(const char *str); + int find_first_bit(u32 value); + size_t merge_byte_arrays(u8 *res, size_t res_len, + const u8 *src1, size_t src1_len, +--- a/wpa_supplicant/config.c ++++ b/wpa_supplicant/config.c +@@ -2375,8 +2375,19 @@ char * wpa_config_get(struct wpa_ssid *s + + for (i = 0; i < NUM_SSID_FIELDS; i++) { + const struct parse_data *field = &ssid_fields[i]; +- if (os_strcmp(var, field->name) == 0) +- return field->writer(field, ssid); ++ if (os_strcmp(var, field->name) == 0) { ++ char *ret = field->writer(field, ssid); ++ ++ if (ret && has_newline(ret)) { ++ wpa_printf(MSG_ERROR, ++ "Found newline in value for %s; not returning it", ++ var); ++ os_free(ret); ++ ret = NULL; ++ } ++ ++ return ret; ++ } + } + + return NULL; diff -Nru wpa-2.3/debian/patches/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch wpa-2.3/debian/patches/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch --- wpa-2.3/debian/patches/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch 1970-01-01 01:00:00.000000000 +0100 +++ wpa-2.3/debian/patches/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch 2016-07-21 11:42:28.000000000 +0200 @@ -0,0 +1,57 @@ +From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jo...@qca.qualcomm.com> +Date: Tue, 5 Apr 2016 23:33:10 +0300 +Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the + string values + +Most of the cred block parameters are written as strings without +filtering and if there is an embedded newline character in the value, +unexpected configuration file data might be written. + +This fixes an issue where wpa_supplicant could have updated the +configuration file cred parameter with arbitrary data from the control +interface or D-Bus interface. While those interfaces are supposed to be +accessible only for trusted users/applications, it may be possible that +an untrusted user has access to a management software component that +does not validate the credential value before passing it to +wpa_supplicant. + +This could allow such an untrusted user to inject almost arbitrary data +into the configuration file. Such configuration file could result in +wpa_supplicant trying to load a library (e.g., opensc_engine_path, +pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user +controlled location when starting again. This would allow code from that +library to be executed under the wpa_supplicant process privileges. + +Signed-off-by: Jouni Malinen <jo...@qca.qualcomm.com> +--- + wpa_supplicant/config.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/wpa_supplicant/config.c ++++ b/wpa_supplicant/config.c +@@ -2572,6 +2572,8 @@ int wpa_config_set_cred(struct wpa_cred + + if (os_strcmp(var, "password") == 0 && + os_strncmp(value, "ext:", 4) == 0) { ++ if (has_newline(value)) ++ return -1; + str_clear_free(cred->password); + cred->password = os_strdup(value); + cred->ext_password = 1; +@@ -2622,9 +2624,14 @@ int wpa_config_set_cred(struct wpa_cred + } + + val = wpa_config_parse_string(value, &len); +- if (val == NULL) { ++ if (val == NULL || ++ (os_strcmp(var, "excluded_ssid") != 0 && ++ os_strcmp(var, "roaming_consortium") != 0 && ++ os_strcmp(var, "required_roaming_consortium") != 0 && ++ has_newline(val))) { + wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string " + "value '%s'.", line, var, value); ++ os_free(val); + return -1; + } + diff -Nru wpa-2.3/debian/patches/2016-1/0005-Reject-SET-commands-with-newline-characters-in-the-s.patch wpa-2.3/debian/patches/2016-1/0005-Reject-SET-commands-with-newline-characters-in-the-s.patch --- wpa-2.3/debian/patches/2016-1/0005-Reject-SET-commands-with-newline-characters-in-the-s.patch 1970-01-01 01:00:00.000000000 +0100 +++ wpa-2.3/debian/patches/2016-1/0005-Reject-SET-commands-with-newline-characters-in-the-s.patch 2016-07-21 11:42:28.000000000 +0200 @@ -0,0 +1,45 @@ +From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jo...@qca.qualcomm.com> +Date: Tue, 5 Apr 2016 23:55:48 +0300 +Subject: [PATCH 5/5] Reject SET commands with newline characters in the + string values + +Many of the global configuration parameters are written as strings +without filtering and if there is an embedded newline character in the +value, unexpected configuration file data might be written. + +This fixes an issue where wpa_supplicant could have updated the +configuration file global parameter with arbitrary data from the control +interface or D-Bus interface. While those interfaces are supposed to be +accessible only for trusted users/applications, it may be possible that +an untrusted user has access to a management software component that +does not validate the value of a parameter before passing it to +wpa_supplicant. + +This could allow such an untrusted user to inject almost arbitrary data +into the configuration file. Such configuration file could result in +wpa_supplicant trying to load a library (e.g., opensc_engine_path, +pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user +controlled location when starting again. This would allow code from that +library to be executed under the wpa_supplicant process privileges. + +Signed-off-by: Jouni Malinen <jo...@qca.qualcomm.com> +--- + wpa_supplicant/config.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/wpa_supplicant/config.c ++++ b/wpa_supplicant/config.c +@@ -3418,6 +3418,12 @@ static int wpa_global_config_parse_str(c + return -1; + } + ++ if (has_newline(pos)) { ++ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline", ++ line, data->name); ++ return -1; ++ } ++ + tmp = os_strdup(pos); + if (tmp == NULL) + return -1; diff -Nru wpa-2.3/debian/patches/2016-1/psk-parameter-config-update.txt wpa-2.3/debian/patches/2016-1/psk-parameter-config-update.txt --- wpa-2.3/debian/patches/2016-1/psk-parameter-config-update.txt 1970-01-01 01:00:00.000000000 +0100 +++ wpa-2.3/debian/patches/2016-1/psk-parameter-config-update.txt 2016-07-21 11:42:28.000000000 +0200 @@ -0,0 +1,101 @@ +psk configuration parameter update allowing arbitrary data to be written + +Published: May 2, 2016 +Identifiers: CVE-2016-4476 and CVE-2016-4477 + (CVE-2016-2447 is an instance of CVE-2016-4477 on Android) +Latest version available from: http://w1.fi/security/2016-1/ + + +Vulnerability + +A vulnerability was found in how hostapd and wpa_supplicant writes the +configuration file update for the WPA/WPA2 passphrase parameter. If this +parameter has been updated to include control characters either through +a WPS operation (CVE-2016-4476) or through local configuration change +over the wpa_supplicant control interface (CVE-2016-4477), the resulting +configuration file may prevent the hostapd and wpa_supplicant from +starting when the updated file is used. In addition for wpa_supplicant, +it may be possible to load a local library file and execute code from +there with the same privileges under which the wpa_supplicant process +runs. + +The WPS trigger for this requires local user action to authorize the WPS +operation in which a new configuration would be received. The attacker +would also need to be in radio range of the device or have access to the +IP network to act as a WPS External Registrar. Such an attack could +result in denial of service by not allowing hostapd or wpa_supplicant to +start after they have been stopped. + +The local configuration update through the control interface SET_NETWORK +command could allow privilege escalation for the local user to run code +from a locally stored library file under the same privileges as the +wpa_supplicant process has. The assumption here is that a not fully +trusted user/application might have access through a connection manager +to set network profile parameters like psk, but would not have access to +set other configuration file parameters. If the connection manager in +such a case does not filter out control characters from the psk value, +it could have been possible to practically update the global parameters +by embedding a newline character within the psk value. In addition, the +untrusted user/application would need to be able to install a library +file somewhere on the device from where the wpa_supplicant process has +privileges to load the library. + +Similarly to the SET_NETWORK case, if a connection manager exposes +access to the SET_CRED or SET commands, similar issue with newline +characters can exist as those commands do not filter out control +characters from the value. + +It should also be noted that providing unlimited access to the +wpa_supplicant control interface would allow arbitrary SET commands to +be issued. Such unlimited access should not be provided to untrusted +users/applications. + + +Vulnerable versions/configurations + +For the local control interface attack vector (CVE-2016-4477): + +wpa_supplicant v0.4.0-v2.5 with control interface enabled + +update_config=1 must have been enabled in the configuration file. + + +For the WPS attack vector (CVE-2016-4476): + +wpa_supplicant v0.6.7-v2.5 with CONFIG_WPS build option enabled +hostapd v0.6.7-v2.5 with CONFIG_WPS build option enabled + +WPS needs to be enabled in the runtime operation and the WPS operation +needs to have been authorized by the local user over the control +interface. For wpa_supplicant, update_config=1 must have been enabled in +the configuration file. + + +Acknowledgments + +Thanks to Google for reporting this issue and Imre Rad of SEARCH-LAB +Ltd. discovering it. + + +Possible mitigation steps + +- Merge the following commits to hostapd/wpa_supplicant and rebuild it: + + CVE-2016-4476: + WPS: Reject a Credential with invalid passphrase + CVE-2016-4477: + Reject psk parameter set with invalid passphrase character + Reject SET_CRED commands with newline characters in the string values + Reject SET commands with newline characters in the string values + CVE-2016-4476 and CVE-2016-4477: + Remove newlines from wpa_supplicant config network output + + These patches are available from http://w1.fi/security/2016-1/ + +- Update to hostapd/wpa_supplicant v2.6 or newer, once available + + +Change history + +May 3, 2016 +- Added CVE IDs diff -Nru wpa-2.3/debian/patches/CVE-2015-5314.patch wpa-2.3/debian/patches/CVE-2015-5314.patch --- wpa-2.3/debian/patches/CVE-2015-5314.patch 2015-11-07 16:07:28.000000000 +0100 +++ wpa-2.3/debian/patches/CVE-2015-5314.patch 2016-07-21 11:42:28.000000000 +0200 @@ -16,7 +16,7 @@ index cb83ff7..9f787ab 100644 --- a/src/eap_server/eap_server_pwd.c +++ b/src/eap_server/eap_server_pwd.c -@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, +@@ -947,7 +947,7 @@ /* * the first and all intermediate fragments have the M bit set */ @@ -25,7 +25,7 @@ if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) { wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow " "attack detected! (%d+%d > %d)", -@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, +@@ -958,6 +958,8 @@ } wpabuf_put_data(data->inbuf, pos, len); data->in_frag_pos += len; @@ -34,7 +34,7 @@ wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment", (int) len); return; -@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, +@@ -967,8 +969,6 @@ * buffering fragments so that's how we know it's the last) */ if (data->in_frag_pos) { diff -Nru wpa-2.3/debian/patches/CVE-2015-5315.patch wpa-2.3/debian/patches/CVE-2015-5315.patch --- wpa-2.3/debian/patches/CVE-2015-5315.patch 2015-11-07 16:07:28.000000000 +0100 +++ wpa-2.3/debian/patches/CVE-2015-5315.patch 2016-07-21 11:42:28.000000000 +0200 @@ -16,7 +16,7 @@ index 1f78544..75ceef1 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c -@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, +@@ -841,7 +841,7 @@ /* * buffer and ACK the fragment */ @@ -25,7 +25,7 @@ data->in_frag_pos += len; if (data->in_frag_pos > wpabuf_size(data->inbuf)) { wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack " -@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, +@@ -854,7 +854,8 @@ return NULL; } wpabuf_put_data(data->inbuf, pos, len); @@ -35,7 +35,7 @@ resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, EAP_PWD_HDR_SIZE, EAP_CODE_RESPONSE, eap_get_id(reqData)); -@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, +@@ -868,10 +869,8 @@ * we're buffering and this is the last fragment */ if (data->in_frag_pos) { diff -Nru wpa-2.3/debian/patches/CVE-2015-5316.patch wpa-2.3/debian/patches/CVE-2015-5316.patch --- wpa-2.3/debian/patches/CVE-2015-5316.patch 2015-11-07 16:07:28.000000000 +0100 +++ wpa-2.3/debian/patches/CVE-2015-5316.patch 2016-07-21 11:42:28.000000000 +0200 @@ -16,7 +16,7 @@ index 75ceef1..892b590 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c -@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, +@@ -713,7 +713,8 @@ wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN); fin: diff -Nru wpa-2.3/debian/patches/series wpa-2.3/debian/patches/series --- wpa-2.3/debian/patches/series 2015-11-07 16:07:28.000000000 +0100 +++ wpa-2.3/debian/patches/series 2016-07-21 11:42:28.000000000 +0200 @@ -19,3 +19,8 @@ CVE-2015-5314.patch CVE-2015-5315.patch CVE-2015-5316.patch +2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch +2016-1/0002-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch +2016-1/0003-Remove-newlines-from-wpa_supplicant-config-network-o.patch +2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch +2016-1/0005-Reject-SET-commands-with-newline-characters-in-the-s.patch
signature.asc
Description: OpenPGP digital signature