Bug 1767023 (CVE-2019-16275)
| Summary: | CVE-2019-16275 wpa_supplicant: AP mode PMF disconnection protection bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bgalvani, blueowl, dcaratti, dcbw, john.j5live, linville, lkundrak, negativo17, sukulkar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | wpa_supplicant 2.10 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was discovered in wpa_supplicant. When Access Point (AP) mode and Protected Management Frames (PMF) (IEEE 802.11w) are enabled, wpa_supplicant does not perform enough validation on the source address of some received management frames. An attacker within the 802.11 communications range could use this flaw to inject an unauthenticated frame and perform a denial-of-service attack against another device which would be disconnected from the network.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-31 18:51:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1767026, 1767027, 1767028, 1767555 | ||
| Bug Blocks: | 1767029 | ||
|
Description
Guilherme de Almeida Suckevicz
2019-10-30 14:14:17 UTC
Created hostapd tracking bugs for this issue: Affects: epel-all [bug 1767028] Affects: fedora-all [bug 1767027] Created wpa_supplicant tracking bugs for this issue: Affects: fedora-all [bug 1767026] External References: https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt The flaw allows to bypass PMF, which should prevent disconnect attacks. Thus affected versions include those compiled with PMF support (CONFIG_IEEE80211W=y) and that have AP mode and PMF enabled at runtime. Moreover, the flaw can be triggered only when it is wpa_supplicant itself that controls the authentication and association management frames (e.g. drivers that use mac80211) and not when the driver directly handles those frames. However when wpa_supplicant in AP mode is used, but PMF support is either not compiled in or not enabled at runtime, it is already possible for an attacker within the 802.11 communications range to perform a disconnect attack. Functions ap/ieee802_11.c:ieee802_11_mgmt() and ap/drv_callbacks.c:hostapd_notif_assoc() were not correctly checking that the received frames actually contained an expected SA. By sending frames with an unexpected SA it is possible to make wpa_supplicant in AP mode to send response frames to another device and cause its disconnection. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16275 Statement: This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8. Versions of the package shipped in Red Hat Enterprise Linux 5 and 6 are built without AP mode (CONFIG_AP=y), while versions of the package shipped in Red Hat Enterprise Linux 7 and 8, even though they support AP mode, do not enable IEEE 802.11w (CONFIG_IEEE80211W=y). Both options are required for the flaw to be exploited. |