WPA Supplicant configuration file injection vulnerability

Internet of Things devices are supposed to be always connected to the Internet, meaning not just anytime-anywhere availability, but a continuous threat as well. As the Wi-Fi technology became part of everyday life with the protocol constantly evolving in the background. The open source project WPA Supplicant aims to cover the complete feature set of the various Wi-Fi standards and to offer an easy way to manage interface to integrators, therefore it became a popular choice for developers targeting embedded platforms.

In February 2016, SEARCH-LAB Ltd discovered a vulnerability in the parameter sanitization of the WPA Supplicant implementation. The bug made it possible to inject arbitrary values into the configuration file of WPA Supplicant via its control interface, leading to code execution or even breaking down the Wi-Fi functionality of a device.

Although the control interface is supposed to be accessible for reliable parties only, there are situations where it processes data from untrusted sources. For example on the Android platform applications with Wi-Fi management permission (CHANGE_WIFI_STATE) have the power to exploit this vulnerability. Thus, a malicious application, running on the Android platform with the vulnerable version of WPA Supplicant, was capable of elevating its permissions to system level, or – even worse – including the Wi-Fi chip to malfunction. This latter attack could be only fixed by resetting the device to its factory default state.

After reporting the issue to the Android Security Team, they coordinated the fixing process. On their side, the issue was addressed in the Nexus May bulletin and the corresponding security patches. In parallel, the WPA Supplicant project maintainers committed the fixes to their source repository in early May. Further security fixes are expected for a wide range of Wi-Fi capable products from many vendors.

For customers with older Android handsets – where software updates are not available anymore – we recommend to avoid installing applications from untrusted sources, especially ones asking for Wi-Fi permission.

Companies who wish to stay away from vulnerabilities can take a look at our secure coding training portfolio at www.scademy.com/courses

Scademy, sister company of Search-Lab, is a recognized training house providing secure coding educational programs throughout the globe.

Discovered by: Imre Rad

CVE (for the generic WPA Supplicant case): CVE-2016-4476, CVE-2016-4477

CVE (for Android platform): CVE-2016-2447