Bug 1960498 (CVE-2020-26144) - CVE-2020-26144 kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header
Summary: CVE-2020-26144 kernel: accepting unencrypted A-MSDU frames that start with RF...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-26144
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1978181 1960499 1961958 1961959 1977757
Blocks: 1959275
TreeView+ depends on / blocked
 
Reported: 2021-05-14 03:43 UTC by Dhananjay Arunesh
Modified: 2022-09-08 06:42 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, where the WiFi implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (ex., LLC/SNAP) header for EAPOL. The highest threat from this vulnerability is to integrity.
Clone Of:
Environment:
Last Closed: 2021-11-09 20:52:53 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4140 0 None None None 2021-11-09 17:23:10 UTC
Red Hat Product Errata RHSA-2021:4356 0 None None None 2021-11-09 18:26:21 UTC

Description Dhananjay Arunesh 2021-05-14 03:43:58 UTC 
A vulnerability was found in Linux Kernel, where the wifi implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL.

upstream patch:
https://lore.kernel.org/linux-wireless/20210511180259.159598-1-johannes@sipsolutions.net/
Comment 1 Dhananjay Arunesh 2021-05-14 03:44:29 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1960499]
Comment 20 Íñigo Huguet 2021-08-12 09:55:46 UTC 
As per the patches desciption and the vulnerability desciption in the paper, these patches seems to be addressing this vulnerability, despite only mentioning CVE-2020-24588:
2b8a1fee3488 cfg80211: mitigate A-MSDU aggregation attacks
62a8ff67eba5 ath10k: Validate first subframe of A-MSDU before processing the list
2c2bdd2372af mt76: validate rx A-MSDU subframes
Comment 22 errata-xmlrpc 2021-11-09 17:23:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140
Comment 23 errata-xmlrpc 2021-11-09 18:26:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356
Comment 24 Product Security DevOps Team 2021-11-09 20:52:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26144
Comment 25 Justin M. Forbes 2022-01-14 15:53:26 UTC 
This was fixed for Fedora with the 5.12.9 stable kernel updates.
Comment 26 Mark Esler 2022-09-07 17:19:36 UTC 
2b8a1fee3488 states:
> Note that for kernel 4.9 and above this patch depends on "mac80211:
> properly handle A-MSDUs that start with a rfc1042 header". Otherwise
> this patch has no impact and attacks will remain possible.

a1d5ff5651ea592c67054233b14b30bf4452999c mac80211: properly handle A-MSDUs that start with a rfc1042 header" is
Comment 27 Íñigo Huguet 2022-09-08 06:42:36 UTC 
Double checking Mark's warning of dependency commit:
* it's pre v5.14 so already included in RHEL 9 since the fork point
* commit a1d5ff5651 included in RHEL 8.5, at the same time than the commits from comment 20, so there are not any version with the vulnerability.

Thanks Mark.
Note You need to log in before you can comment on or make changes to this bug.