Bug 1767023 (CVE-2019-16275) - CVE-2019-16275 wpa_supplicant: AP mode PMF disconnection protection bypass
Summary: CVE-2019-16275 wpa_supplicant: AP mode PMF disconnection protection bypass
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-16275
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1767555 1767026 1767027 1767028
Blocks: 1767029
TreeView+ depends on / blocked
 
Reported: 2019-10-30 14:14 UTC by Guilherme de Almeida Suckevicz
Modified: 2019-11-04 19:15 UTC (History)
9 users (show)

Fixed In Version: wpa_supplicant 2.10
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in wpa_supplicant. When Access Point (AP) mode and Protected Management Frames (PMF) (IEEE 802.11w) are enabled, wpa_supplicant does not perform enough validation on the source address of some received management frames. An attacker within the 802.11 communications range could use this flaw to inject an unauthenticated frame and perform a denial-of-service attack against another device which would be disconnected from the network.
Clone Of:
Environment:
Last Closed: 2019-10-31 18:51:35 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-10-30 14:14:17 UTC
hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should have been prevented by PMF (aka management frame protection). The attacker must send a crafted 802.11 frame from a location that is within the 802.11 communications range.

Reference:
https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt

Comment 1 Guilherme de Almeida Suckevicz 2019-10-30 14:16:28 UTC
Created hostapd tracking bugs for this issue:

Affects: epel-all [bug 1767028]
Affects: fedora-all [bug 1767027]


Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1767026]

Comment 2 Riccardo Schirone 2019-10-31 08:45:52 UTC
Upstream patch:
https://w1.fi/cgit/hostap/commit/?id=d86d66dc073bc21d3b12faf4112062ae00c1773f

Comment 3 Riccardo Schirone 2019-10-31 15:51:28 UTC
External References:

https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt

Comment 4 Riccardo Schirone 2019-10-31 16:10:26 UTC
The flaw allows to bypass PMF, which should prevent disconnect attacks. Thus affected versions include those compiled with PMF support (CONFIG_IEEE80211W=y) and that have AP mode and PMF enabled at runtime. Moreover, the flaw can be triggered only when it is wpa_supplicant itself that controls the authentication and association management frames (e.g. drivers that use mac80211) and not when the driver directly handles those frames.

However when wpa_supplicant in AP mode is used, but PMF support is either not compiled in or not enabled at runtime, it is already possible for an attacker within the 802.11 communications range to perform a disconnect attack.

Comment 5 Riccardo Schirone 2019-10-31 16:42:24 UTC
Functions ap/ieee802_11.c:ieee802_11_mgmt() and ap/drv_callbacks.c:hostapd_notif_assoc() were not correctly checking that the received frames actually contained an expected SA. By sending frames with an unexpected SA it is possible to make wpa_supplicant in AP mode to send response frames to another device and cause its disconnection.

Comment 9 Product Security DevOps Team 2019-10-31 18:51:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16275

Comment 10 Eric Christensen 2019-11-04 19:15:07 UTC
Statement:

This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8. Versions of the package shipped in Red Hat Enterprise Linux 5 and 6 are built without AP mode (CONFIG_AP=y), while versions of the package shipped in Red Hat Enterprise Linux 7 and 8, even though they support AP mode, do not enable IEEE 802.11w (CONFIG_IEEE80211W=y). Both options are required for the flaw to be exploited.


Note You need to log in before you can comment on or make changes to this bug.