Debian Security Advisory
DLA-473-1 wpa -- LTS security update
- Date Reported:
- 14 May 2016
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 823411.
In Mitre's CVE dictionary: CVE-2016-4476, CVE-2016-4477.
- More information:
A vulnerability was found in how hostapd and wpa_supplicant writes the configuration file update for the WPA/WPA2 passphrase parameter. If this parameter has been updated to include control characters either through a WPS operation (CVE-2016-4476) or through local configuration change over the wpa_supplicant control interface (CVE-2016-4477), the resulting configuration file may prevent the hostapd and wpa_supplicant from starting when the updated file is used. In addition for wpa_supplicant, it may be possible to load a local library file and execute code from there with the same privileges under which the wpa_supplicant process runs.
hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation.
wpa_supplicant 0.4.0 through 2.5 does not reject \n and \r characters in passphrase parameters, which allows local users to trigger arbitrary library loading and consequently gain privileges, or cause a denial of service (daemon outage), via a crafted (1) SET, (2) SET_CRED, or (3) SET_NETWORK command.
For Debian 7
Wheezy, these problems have been fixed in version 1.0-3+deb7u4.
We recommend that you upgrade your wpa packages.