Bug 1960494 (CVE-2020-26142)

Summary: CVE-2020-26142 kernel: processing fragmented frames as full frames
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, blc, bmasney, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, ihuguet, jarodwilson, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, steved, walters, wcosta, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, where the WiFi implementations treat fragmented frames as full frames. This flaw allows an attacker to inject arbitrary network packets independent of the network configuration. The highest threat from this vulnerability is to integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-19 01:14:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1960495    
Bug Blocks: 1959275    

Description Dhananjay Arunesh 2021-05-14 03:37:23 UTC 
A vulnerability was found in Linux Kernel, where the wifi implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.

Upstream patch:
https://lore.kernel.org/linux-wireless/20210511180259.159598-1-johannes@sipsolutions.net/
Comment 1 Dhananjay Arunesh 2021-05-14 03:38:01 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1960495]
Comment 2 Wade Mealing 2021-05-19 01:14:36 UTC 
As per the research paper ( https://papers.mathyvanhoef.com/usenix2021.pdf page 13 and 14).

"Certain implementations, such as OpenBSD and the ESP-12F, do not support A-MSDUs or fragmented frames. However,
they are still vulnerable to attacks because they treat all frames as non-fragmented ones (CVE-2020-26142)."

Marking notaffected as I do not see where this affecting RHEL or Linux systems.

I would suggest Fedora do the same, but I'll let them make that call.

Thanks.
Comment 6 Íñigo Huguet 2021-07-29 14:20:43 UTC 
`git log --oneline --grep CVE-2020-24588` gives this output:
2c2bdd2372af mt76: validate rx A-MSDU subframes
079a108feba4 ath10k: drop MPDU which has discard flag set by firmware for SDIO
270032a2a9c4 mac80211: drop A-MSDUs on old ciphers
2b8a1fee3488 cfg80211: mitigate A-MSDU aggregation attacks

Looking at the patches, they claim to fix this CVE and similar attacks. I suggest reopening this BZ.
Comment 7 Íñigo Huguet 2021-07-29 14:23:56 UTC 
(In reply to Íñigo Huguet from comment #6)
> `git log --oneline --grep CVE-2020-24588` gives this output:
> 2c2bdd2372af mt76: validate rx A-MSDU subframes
> 079a108feba4 ath10k: drop MPDU which has discard flag set by firmware for
> SDIO
> 270032a2a9c4 mac80211: drop A-MSDUs on old ciphers
> 2b8a1fee3488 cfg80211: mitigate A-MSDU aggregation attacks
> 
> Looking at the patches, they claim to fix this CVE and similar attacks. I
> suggest reopening this BZ.

Sorry, my mistake, I mixed 2 different CVEs. Forget that.
Comment 9 Justin M. Forbes 2022-01-14 15:59:54 UTC 
This was fixed for Fedora with the 5.12.9 stable kernel updates.