Red Hat Bugzilla – Bug 1277857
CVE-2015-5310 wpa_supplicant: unauthorized WNM Sleep Mode GTK control
Last modified: 2015-11-12 05:16:29 EST
The following flaw was reported in wpa_supplicant:
A vulnerability in wpa_supplicant was found in WMM Sleep Mode Response frame processing in a case where the association uses RSN (WPA2-Personal or WPA2-Enterprise), but does not use management frame protection (MFP, also known as PMF = protected management frames). This WNM Sleep Mode mechanism was not designed to be used without management frame protection, but there was no explicit check for that in wpa_supplicant.
wpa_supplicant accepted the updated GTK keys from this frame regardless of whether management frame protection was negotiated for the association. This may result in an unauthenticated, injected frame being able to replace the GTK (the key used to protected broadcast and multicast Data frames).
This vulnerability can be used to perform broadcast/multicast packet injection and denial of service (prevent authorized broadcast/multicast packets from being accepted) attacks by an attacker that is within radio range of the station devices.
wpa_supplicant v2.0-v2.5 with CONFIG_WNM=y the build configuration (wpa_supplicant/.config) and a driver that sends WNM Action frames to user space for processing. For example, most cfg80211/mac80211-based drivers do this. However, some drivers do not seem to send the WNM Sleep Mode Response frame to user space even though they are reporting some other WNM Action frames. When wpa_supplicant is used with such a driver, it may not be possible to trigger this vulnerability.
- Enable management frame protection in the AP and station configuration ("ieee80211w=2" in wpa_supplicant network profile).
- wpa_supplicant: Disable CONFIG_WNM=y in the build configuration (wpa_supplicant/.config) (i.e., remove the line or comment it out); note: this will disable all WNM functionality, so this mitigation option may not be appropriate for number of use cases.
Created attachment 1089479 [details]
Created wpa_supplicant tracking bugs for this issue:
Affects: fedora-all [bug 1280277]
I don't believe that Fedora is affected by this bug as we do not enable the required CONFIG_WNM=y option when building wpa_supplicant.
From upstream's original mail:
Possible mitigation steps
- wpa_supplicant: Disable CONFIG_WNM=y in the build configuration
(wpa_supplicant/.config) (i.e., remove the line or comment it out);
note: this will disable all WNM functionality, so this mitigation option
may not be appropriate for number of use cases.
Since we do not enable CONFIG_WNM=y in the first place, we have already mitigated it.
The option is not enabled in RHEL7 either, so I don't believe RHEL7 is vulnerable. wnm-sta.c is not compiled on RHEL7 so the patch will have no effect.
Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not include the WNM functionality.