wpa_cli and hostapd_cli action script execution vulnerability

Jouni Malinen j
Thu Oct 9 12:07:12 PDT 2014

Published: October 9, 2014
Identifier: CVE-2014-3686
Latest version available from: http://w1.fi/security/2014-1/


A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
for executing action scripts. An unsanitized string received from a
remote device can be passed to a system() call resulting in arbitrary
command execution under the privileges of the wpa_cli/hostapd_cli
process (which may be root or at least network admin in common use

Vulnerable versions/configurations

wpa_cli is a component distributed with wpa_supplicant and hostapd_cli
is a component distributed with hostapd. The vulnerability affects only
cases where wpa_cli or hostapd_cli is used to run action scripts (-a
command line option) and one (or more) of the following build
combinations for wpa_supplicant/hostapd is used:

wpa_supplicant v1.0-v2.2 with CONFIG_P2P build option enabled and
connecting to a P2P group

wpa_supplicant v2.1-v2.2 with CONFIG_WNM build option enabled

wpa_supplicant v2.2 with CONFIG_HS20 build option enabled

wpa_supplicant v0.7.2-v2.2 with CONFIG_WPS build option enabled and
operating as WPS Registrar

hostapd v0.7.2-v2.2 with CONFIG_WPS build option enabled and WPS enabled
in runtime configuration

wpa_supplicant and hostapd processes are not directly affected, i.e.,
the vulnerability occurs in the wpa_cli/hostapd process based on
information received from wpa_supplicant/hostapd.

Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a frame that triggers a
suitable formatted event message to allow full control on command

Possible mitigation steps

- Update to wpa_cli/hostapd_cli from wpa_supplicant/hostapd v2.3

- Merge the following commits to an older version of wpa_cli/hostapd_cli
  and rebuild it:

  Add os_exec() helper to run external programs
  wpa_cli: Use os_exec() for action script execution
  hostapd_cli: Use more robust mechanism for action script execution

  These patches are available from http://w1.fi/security/2014-1/

- Disable use of wpa_cli/hostapd_cli command to run action scripts
  (this may prevent functionality)

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list