Bug 1277857 - (CVE-2015-5310) CVE-2015-5310 wpa_supplicant: unauthorized WNM Sleep Mode GTK control
CVE-2015-5310 wpa_supplicant: unauthorized WNM Sleep Mode GTK control
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20151110,reported=2...
: Security
Depends On: 1280277
Blocks: 1277868
  Show dependency treegraph
 
Reported: 2015-11-04 04:23 EST by Martin Prpič
Modified: 2015-11-12 05:16 EST (History)
3 users (show)

See Also:
Fixed In Version: wpa_supplicant 2.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-12 05:16:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
CVE-2015-5310 patch (1022 bytes, text/plain)
2015-11-04 04:27 EST, Martin Prpič
no flags Details

  None (edit)
Description Martin Prpič 2015-11-04 04:23:46 EST
The following flaw was reported in wpa_supplicant:

A vulnerability in wpa_supplicant was found in WMM Sleep Mode Response frame processing in a case where the association uses RSN (WPA2-Personal or WPA2-Enterprise), but does not use management frame protection (MFP, also known as PMF = protected management frames). This WNM Sleep Mode mechanism was not designed to be used without management frame protection, but there was no explicit check for that in wpa_supplicant.

wpa_supplicant accepted the updated GTK keys from this frame regardless of whether management frame protection was negotiated for the association. This may result in an unauthenticated, injected frame being able to replace the GTK (the key used to protected broadcast and multicast Data frames).

This vulnerability can be used to perform broadcast/multicast packet injection and denial of service (prevent authorized broadcast/multicast packets from being accepted) attacks by an attacker that is within radio range of the station devices.

Vulnerable versions/configurations

wpa_supplicant v2.0-v2.5 with CONFIG_WNM=y the build configuration (wpa_supplicant/.config) and a driver that sends WNM Action frames to user space for processing. For example, most cfg80211/mac80211-based drivers do this. However, some drivers do not seem to send the WNM Sleep Mode Response frame to user space even though they are reporting some other WNM Action frames. When wpa_supplicant is used with such a driver, it may not be possible to trigger this vulnerability.

Possible workarounds:

- Enable management frame protection in the AP and station configuration ("ieee80211w=2" in wpa_supplicant network profile).

- wpa_supplicant: Disable CONFIG_WNM=y in the build configuration (wpa_supplicant/.config) (i.e., remove the line or comment it out); note: this will disable all WNM functionality, so this mitigation option may not be appropriate for number of use cases.

External References:

http://w1.fi/security/2015-6/
Comment 1 Martin Prpič 2015-11-04 04:27 EST
Created attachment 1089479 [details]
CVE-2015-5310 patch
Comment 2 Martin Prpič 2015-11-11 06:50:16 EST
Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1280277]
Comment 3 Dan Williams 2015-11-11 12:21:24 EST
I don't believe that Fedora is affected by this bug as we do not enable the required CONFIG_WNM=y option when building wpa_supplicant.

From upstream's original mail:

--------
Possible mitigation steps

- wpa_supplicant: Disable CONFIG_WNM=y in the build configuration
  (wpa_supplicant/.config) (i.e., remove the line or comment it out);
  note: this will disable all WNM functionality, so this mitigation option
  may not be appropriate for number of use cases.
--------

Since we do not enable CONFIG_WNM=y in the first place, we have already mitigated it.
Comment 4 Dan Williams 2015-11-11 12:27:53 EST
The option is not enabled in RHEL7 either, so I don't believe RHEL7 is vulnerable.  wnm-sta.c is not compiled on RHEL7 so the patch will have no effect.
Comment 5 Martin Prpič 2015-11-12 05:16:29 EST
Statement:

Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not include the WNM functionality.

Note You need to log in before you can comment on or make changes to this bug.