Bug 1960494 (CVE-2020-26142) - CVE-2020-26142 kernel: processing fragmented frames as full frames
Summary: CVE-2020-26142 kernel: processing fragmented frames as full frames
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-26142
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1960495
Blocks: 1959275
TreeView+ depends on / blocked
 
Reported: 2021-05-14 03:37 UTC by Dhananjay Arunesh
Modified: 2022-01-14 15:59 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, where the WiFi implementations treat fragmented frames as full frames. This flaw allows an attacker to inject arbitrary network packets independent of the network configuration. The highest threat from this vulnerability is to integrity.
Clone Of:
Environment:
Last Closed: 2021-05-19 01:14:36 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2021-05-14 03:37:23 UTC
A vulnerability was found in Linux Kernel, where the wifi implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.

Upstream patch:
https://lore.kernel.org/linux-wireless/20210511180259.159598-1-johannes@sipsolutions.net/

Comment 1 Dhananjay Arunesh 2021-05-14 03:38:01 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1960495]

Comment 2 Wade Mealing 2021-05-19 01:14:36 UTC
As per the research paper ( https://papers.mathyvanhoef.com/usenix2021.pdf page 13 and 14).

"Certain implementations, such as OpenBSD and the ESP-12F, do not support A-MSDUs or fragmented frames. However,
they are still vulnerable to attacks because they treat all frames as non-fragmented ones (CVE-2020-26142)."

Marking notaffected as I do not see where this affecting RHEL or Linux systems.

I would suggest Fedora do the same, but I'll let them make that call.

Thanks.

Comment 6 Íñigo Huguet 2021-07-29 14:20:43 UTC
`git log --oneline --grep CVE-2020-24588` gives this output:
2c2bdd2372af mt76: validate rx A-MSDU subframes
079a108feba4 ath10k: drop MPDU which has discard flag set by firmware for SDIO
270032a2a9c4 mac80211: drop A-MSDUs on old ciphers
2b8a1fee3488 cfg80211: mitigate A-MSDU aggregation attacks

Looking at the patches, they claim to fix this CVE and similar attacks. I suggest reopening this BZ.

Comment 7 Íñigo Huguet 2021-07-29 14:23:56 UTC
(In reply to Íñigo Huguet from comment #6)
> `git log --oneline --grep CVE-2020-24588` gives this output:
> 2c2bdd2372af mt76: validate rx A-MSDU subframes
> 079a108feba4 ath10k: drop MPDU which has discard flag set by firmware for
> SDIO
> 270032a2a9c4 mac80211: drop A-MSDUs on old ciphers
> 2b8a1fee3488 cfg80211: mitigate A-MSDU aggregation attacks
> 
> Looking at the patches, they claim to fix this CVE and similar attacks. I
> suggest reopening this BZ.

Sorry, my mistake, I mixed 2 different CVEs. Forget that.

Comment 9 Justin M. Forbes 2022-01-14 15:59:54 UTC
This was fixed for Fedora with the 5.12.9 stable kernel updates.


Note You need to log in before you can comment on or make changes to this bug.