Bug 1767023 (CVE-2019-16275)

Summary: CVE-2019-16275 wpa_supplicant: AP mode PMF disconnection protection bypass
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bgalvani, blueowl, dcaratti, dcbw, john.j5live, linville, lkundrak, negativo17, sukulkar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: wpa_supplicant 2.10 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in wpa_supplicant. When Access Point (AP) mode and Protected Management Frames (PMF) (IEEE 802.11w) are enabled, wpa_supplicant does not perform enough validation on the source address of some received management frames. An attacker within the 802.11 communications range could use this flaw to inject an unauthenticated frame and perform a denial-of-service attack against another device which would be disconnected from the network.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-31 18:51:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1767026, 1767027, 1767028, 1767555    
Bug Blocks: 1767029    

Description Guilherme de Almeida Suckevicz 2019-10-30 14:14:17 UTC
hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should have been prevented by PMF (aka management frame protection). The attacker must send a crafted 802.11 frame from a location that is within the 802.11 communications range.


Comment 1 Guilherme de Almeida Suckevicz 2019-10-30 14:16:28 UTC
Created hostapd tracking bugs for this issue:

Affects: epel-all [bug 1767028]
Affects: fedora-all [bug 1767027]

Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1767026]

Comment 2 Riccardo Schirone 2019-10-31 08:45:52 UTC
Upstream patch:

Comment 3 Riccardo Schirone 2019-10-31 15:51:28 UTC
External References:


Comment 4 Riccardo Schirone 2019-10-31 16:10:26 UTC
The flaw allows to bypass PMF, which should prevent disconnect attacks. Thus affected versions include those compiled with PMF support (CONFIG_IEEE80211W=y) and that have AP mode and PMF enabled at runtime. Moreover, the flaw can be triggered only when it is wpa_supplicant itself that controls the authentication and association management frames (e.g. drivers that use mac80211) and not when the driver directly handles those frames.

However when wpa_supplicant in AP mode is used, but PMF support is either not compiled in or not enabled at runtime, it is already possible for an attacker within the 802.11 communications range to perform a disconnect attack.

Comment 5 Riccardo Schirone 2019-10-31 16:42:24 UTC
Functions ap/ieee802_11.c:ieee802_11_mgmt() and ap/drv_callbacks.c:hostapd_notif_assoc() were not correctly checking that the received frames actually contained an expected SA. By sending frames with an unexpected SA it is possible to make wpa_supplicant in AP mode to send response frames to another device and cause its disconnection.

Comment 9 Product Security DevOps Team 2019-10-31 18:51:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 10 Eric Christensen 2019-11-04 19:15:07 UTC

This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8. Versions of the package shipped in Red Hat Enterprise Linux 5 and 6 are built without AP mode (CONFIG_AP=y), while versions of the package shipped in Red Hat Enterprise Linux 7 and 8, even though they support AP mode, do not enable IEEE 802.11w (CONFIG_IEEE80211W=y). Both options are required for the flaw to be exploited.