Bug 1277857 (CVE-2015-5310)

Summary: CVE-2015-5310 wpa_supplicant: unauthorized WNM Sleep Mode GTK control
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dcbw, rkhan, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wpa_supplicant 2.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-12 10:16:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1280277    
Bug Blocks: 1277868    
Attachments:
Description Flags
CVE-2015-5310 patch none

Description Martin Prpič 2015-11-04 09:23:46 UTC 
The following flaw was reported in wpa_supplicant:

A vulnerability in wpa_supplicant was found in WMM Sleep Mode Response frame processing in a case where the association uses RSN (WPA2-Personal or WPA2-Enterprise), but does not use management frame protection (MFP, also known as PMF = protected management frames). This WNM Sleep Mode mechanism was not designed to be used without management frame protection, but there was no explicit check for that in wpa_supplicant.

wpa_supplicant accepted the updated GTK keys from this frame regardless of whether management frame protection was negotiated for the association. This may result in an unauthenticated, injected frame being able to replace the GTK (the key used to protected broadcast and multicast Data frames).

This vulnerability can be used to perform broadcast/multicast packet injection and denial of service (prevent authorized broadcast/multicast packets from being accepted) attacks by an attacker that is within radio range of the station devices.

Vulnerable versions/configurations

wpa_supplicant v2.0-v2.5 with CONFIG_WNM=y the build configuration (wpa_supplicant/.config) and a driver that sends WNM Action frames to user space for processing. For example, most cfg80211/mac80211-based drivers do this. However, some drivers do not seem to send the WNM Sleep Mode Response frame to user space even though they are reporting some other WNM Action frames. When wpa_supplicant is used with such a driver, it may not be possible to trigger this vulnerability.

Possible workarounds:

- Enable management frame protection in the AP and station configuration ("ieee80211w=2" in wpa_supplicant network profile).

- wpa_supplicant: Disable CONFIG_WNM=y in the build configuration (wpa_supplicant/.config) (i.e., remove the line or comment it out); note: this will disable all WNM functionality, so this mitigation option may not be appropriate for number of use cases.

External References:

http://w1.fi/security/2015-6/
Comment 1 Martin Prpič 2015-11-04 09:27:41 UTC 
Created attachment 1089479 [details]
CVE-2015-5310 patch
Comment 2 Martin Prpič 2015-11-11 11:50:16 UTC 
Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1280277]
Comment 3 Dan Williams 2015-11-11 17:21:24 UTC 
I don't believe that Fedora is affected by this bug as we do not enable the required CONFIG_WNM=y option when building wpa_supplicant.

From upstream's original mail:

--------
Possible mitigation steps

- wpa_supplicant: Disable CONFIG_WNM=y in the build configuration
  (wpa_supplicant/.config) (i.e., remove the line or comment it out);
  note: this will disable all WNM functionality, so this mitigation option
  may not be appropriate for number of use cases.
--------

Since we do not enable CONFIG_WNM=y in the first place, we have already mitigated it.
Comment 4 Dan Williams 2015-11-11 17:27:53 UTC 
The option is not enabled in RHEL7 either, so I don't believe RHEL7 is vulnerable.  wnm-sta.c is not compiled on RHEL7 so the patch will have no effect.
Comment 5 Martin Prpič 2015-11-12 10:16:29 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not include the WNM functionality.