Bug 772367 (CVE-2011-5053) - CVE-2011-5053 Wifi Protected Setup (WPS) registrar PINs Brute Force attack
Summary: CVE-2011-5053 Wifi Protected Setup (WPS) registrar PINs Brute Force attack
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2011-5053
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-07 00:35 UTC by Kurt Seifried
Modified: 2019-09-29 12:49 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-18 16:23:22 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Kurt Seifried 2012-01-07 00:35:23 UTC 
http://code.google.com/p/reaver-wps/
http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/
http://www.kb.cert.org/vuls/id/723755

The Wi-Fi Protected Setup (WPS) protocol, when the "external
registrar" authentication method is used, does not properly inform
clients about failed PIN authentication, which makes it easier for
remote attackers to discover the PIN value, and consequently discover
the Wi-Fi network password or reconfigure an access point, by reading
EAP-NACK messages.

=========

hostapd supports WPS and may be affected.
Comment 1 Vincent Danen 2012-01-18 16:23:22 UTC 
There was a question about this on the hostapd mailing list:

http://lists.shmoo.com/pipermail/hostap/2012-January/025107.html

To quote:


As far as hostapd is concerned, commit
3b2cf800afaaf4eec53a237541ec08bebc4c1a0c from early 2009 added lock-down
mechanism to limit brute force attacks on AP PIN. To avoid the issue
completely, static AP PIN should not be enabled by default as described
in hostapd.conf:

# Static access point PIN for initial configuration and adding Registrars
# If not set, hostapd will not allow external WPS Registrars to control the
# access point. The AP PIN can also be set at runtime with hostapd_cli
# wps_ap_pin command. Use of temporary (enabled by user action) and random
# AP PIN is much more secure than configuring a static AP PIN here. As such,
# use of the ap_pin parameter is not recommended if the AP device has means for
# displaying a random PIN.
#ap_pin=12345670

README-WPS has more details on how to use the wps_ap_pin command.


Unfortunately, we use a custom, minimal /etc/hostapd/hostapd.conf file which does _not_ include the above warning (the hostapd.conf in /usr/share/doc/hostapd-0.7.3/ does, however).

John, would it be reasonable to indicate in our minimal hostapd.conf file to look at the /usr/share/doc/../hostapd.conf file for more information (ours simply points to some docs on wireless.kernel.org which, if you search for WPS, gives no substantial information at all).  Of course, our default hostapd.conf does not have any WPS settings/information in it whatsoever so a user will have to hunt down docs in order to configure it.

I'm going to close this as NOTABUG, since it does not affect us; there are clear documented drawbacks to setting a static PIN in the sample configuration.  I would like to see this displayed a bit more prominently in our custom/minimal config file though.
Comment 2 John W. Linville 2012-01-18 19:18:07 UTC 
Vincent, your suggestion seems reasonable to me.

http://koji.fedoraproject.org/koji/taskinfo?taskID=3711985
Note You need to log in before you can comment on or make changes to this bug.