Android, Linux, BSD (Berkeley Software Distribution), and quite likely Windows and Mac OS X are all at risk of a serious bug within a Wireless network’s component employed to authenticate clients. The disclosed flaw found in wpa_supplicant increases the possibility of an attack.
Wpa_supplicant is described as an open-source software implementation of the IEEE 802.11i specifications for a wireless client and is cross-platform. Basically, it is applied to control WPA and WPA2 Wi-Fi connections on
- BSD systems
- (occasionally) Mac OS X and Windows
However, when it comes to Mac OS X and Windows, Wpa_supplicant could only be engaged by third-party wireless software since both operating systems have their implementations.
What Is Specific about the Vulnerability?
The flaw was disclosed by Alibaba’s hardware research team. The issue was officially reported by Google security specialists.
Once exploited, the vulnerability enables a denial-of-service attack, and may read contents from the process’ memory. Furthermore, such exploitation could lead to arbitrary code execution. It is also crucial to note that all versions of the supplicant in question are exposed. Exploitation is most probable when the device has initiated an active P2P (peer-to-peer) operation.
Luckily, a patch has already been released on April 22, and operating systems can proceed towards fixing the security issue. Experts already warned that even though it is hard to execute, exploitation could be triggered without peer-to-peer operations currently in progress.
How to Stay Safe
Users are advised to install all security updates for wpa_supplicant once they are available. Until then, a wise move is to disable P2P connections for each Wi-Fi interface in the supplicant configuration. Instructions in the advisory are accessible.
However, users should be alarmed that wpa_supplicant is also employed in embedded devices. Patches for such devices are neither as frequent nor are they easy to install.