Bug 772367 (CVE-2011-5053)

Summary: CVE-2011-5053 Wifi Protected Setup (WPS) registrar PINs Brute Force attack
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: linville
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-18 16:23:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kurt Seifried 2012-01-07 00:35:23 UTC 
http://code.google.com/p/reaver-wps/
http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/
http://www.kb.cert.org/vuls/id/723755

The Wi-Fi Protected Setup (WPS) protocol, when the "external
registrar" authentication method is used, does not properly inform
clients about failed PIN authentication, which makes it easier for
remote attackers to discover the PIN value, and consequently discover
the Wi-Fi network password or reconfigure an access point, by reading
EAP-NACK messages.

=========

hostapd supports WPS and may be affected.
Comment 1 Vincent Danen 2012-01-18 16:23:22 UTC 
There was a question about this on the hostapd mailing list:

http://lists.shmoo.com/pipermail/hostap/2012-January/025107.html

To quote:


As far as hostapd is concerned, commit
3b2cf800afaaf4eec53a237541ec08bebc4c1a0c from early 2009 added lock-down
mechanism to limit brute force attacks on AP PIN. To avoid the issue
completely, static AP PIN should not be enabled by default as described
in hostapd.conf:

# Static access point PIN for initial configuration and adding Registrars
# If not set, hostapd will not allow external WPS Registrars to control the
# access point. The AP PIN can also be set at runtime with hostapd_cli
# wps_ap_pin command. Use of temporary (enabled by user action) and random
# AP PIN is much more secure than configuring a static AP PIN here. As such,
# use of the ap_pin parameter is not recommended if the AP device has means for
# displaying a random PIN.
#ap_pin=12345670

README-WPS has more details on how to use the wps_ap_pin command.


Unfortunately, we use a custom, minimal /etc/hostapd/hostapd.conf file which does _not_ include the above warning (the hostapd.conf in /usr/share/doc/hostapd-0.7.3/ does, however).

John, would it be reasonable to indicate in our minimal hostapd.conf file to look at the /usr/share/doc/../hostapd.conf file for more information (ours simply points to some docs on wireless.kernel.org which, if you search for WPS, gives no substantial information at all).  Of course, our default hostapd.conf does not have any WPS settings/information in it whatsoever so a user will have to hunt down docs in order to configure it.

I'm going to close this as NOTABUG, since it does not affect us; there are clear documented drawbacks to setting a static PIN in the sample configuration.  I would like to see this displayed a bit more prominently in our custom/minimal config file though.
Comment 2 John W. Linville 2012-01-18 19:18:07 UTC 
Vincent, your suggestion seems reasonable to me.

http://koji.fedoraproject.org/koji/taskinfo?taskID=3711985