wpa_cli and hostapd_cli action script execution vulnerability Published: October 9, 2014 Updated October 28, 2014 Identifier: CVE-2014-3686 Latest version available from: http://w1.fi/security/2014-1/ Vulnerability A vulnerability was found in the mechanism wpa_cli and hostapd_cli use for executing action scripts. An unsanitized string received from a remote device can be passed to a system() call resulting in arbitrary command execution under the privileges of the wpa_cli/hostapd_cli process (which may be root or at least network admin in common use cases). Vulnerable versions/configurations wpa_cli is a component distributed with wpa_supplicant and hostapd_cli is a component distributed with hostapd. The vulnerability affects only cases where wpa_cli or hostapd_cli is used to run action scripts (-a command line option) and one (or more) of the following build combinations for wpa_supplicant/hostapd is used: wpa_supplicant v1.0-v2.2 with CONFIG_P2P build option enabled and connecting to a P2P group wpa_supplicant v2.1-v2.2 with CONFIG_WNM build option enabled wpa_supplicant v2.2 with CONFIG_HS20 build option enabled hostapd v0.7.2-v2.2 with CONFIG_WPS build option enabled and WPS enabled in runtime configuration wpa_supplicant and hostapd processes are not directly affected, i.e., the vulnerability occurs in the wpa_cli/hostapd process based on information received from wpa_supplicant/hostapd. Attacker (or a system controlled by the attacker) needs to be within radio range of the vulnerable system to send a frame that triggers a suitable formatted event message to allow full control on command execution. Possible mitigation steps - Update to wpa_cli/hostapd_cli from wpa_supplicant/hostapd v2.3 - Merge the following commits to an older version of wpa_cli/hostapd_cli and rebuild it: Add os_exec() helper to run external programs wpa_cli: Use os_exec() for action script execution hostapd_cli: Use more robust mechanism for action script execution These patches are available from http://w1.fi/security/2014-1/ - Disable use of wpa_cli/hostapd_cli command to run action scripts (this may prevent functionality) Change history October 28, 2014 - Removed "wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option enabled and operating as WPS Registrar" as a vulnerable combination since wpa_cli actually filters out the potentially problematic event string from wpa_supplicant while hostapd_cli does not.