Debian Security Advisory

DLA-473-1 wpa -- LTS security update

Date Reported:
14 May 2016
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 823411.
In Mitre's CVE dictionary: CVE-2016-4476, CVE-2016-4477.
More information:

A vulnerability was found in how hostapd and wpa_supplicant writes the configuration file update for the WPA/WPA2 passphrase parameter. If this parameter has been updated to include control characters either through a WPS operation (CVE-2016-4476) or through local configuration change over the wpa_supplicant control interface (CVE-2016-4477), the resulting configuration file may prevent the hostapd and wpa_supplicant from starting when the updated file is used. In addition for wpa_supplicant, it may be possible to load a local library file and execute code from there with the same privileges under which the wpa_supplicant process runs.

  • CVE-2016-4476

    hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation.

  • CVE-2016-4477

    wpa_supplicant 0.4.0 through 2.5 does not reject \n and \r characters in passphrase parameters, which allows local users to trigger arbitrary library loading and consequently gain privileges, or cause a denial of service (daemon outage), via a crafted (1) SET, (2) SET_CRED, or (3) SET_NETWORK command.

For Debian 7 Wheezy, these problems have been fixed in version 1.0-3+deb7u4.

We recommend that you upgrade your wpa packages.