Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 10 Nov 2015 19:45:45 +0200
From: Jouni Malinen <j@...fi>
To: oss-security@...ts.openwall.com
Subject: wpa_supplicant unauthorized WNM Sleep Mode GTK control

wpa_supplicant unauthorized WNM Sleep Mode GTK control

Published: November 10, 2015
Identifier: CVE-2015-5310
Latest version available from: http://w1.fi/security/2015-6/


Vulnerability

A vulnerability in wpa_supplicant was found in WMM Sleep Mode Response
frame processing in a case where the association uses RSN (WPA2-Personal
or WPA2-Enterprise), but does not use management frame protection (MFP,
also known as PMF = protected management frames). This WNM Sleep Mode
mechanism was not designed to be used without management frame
protection, but there was no explicit check for that in wpa_supplicant.

wpa_supplicant accepted the updated GTK keys from this frame regardless
of whether management frame protection was negotiated for the
association. This may result in an unauthenticated, injected frame being
able to replace the GTK (the key used to protected broadcast and
multicast Data frames).

This vulnerability can be used to perform broadcast/multicast packet
injection and denial of service (prevent authorized broadcast/multicast
packets from being accepted) attacks by an attacker that is within radio
range of the station devices.


Vulnerable versions/configurations

wpa_supplicant v2.0-v2.5 with CONFIG_WNM=y the build configuration
(wpa_supplicant/.config) and a driver that sends WNM Action frames to
user space for processing. For example, most cfg80211/mac80211-based
drivers do this. However, some drivers do not seem to send the WNM Sleep
Mode Response frame to user space even though they are reporting some
other WNM Action frames. When wpa_supplicant is used with such a driver,
it may not be possible to trigger this vulnerability.


Possible mitigation steps

- Merge the following commit and rebuild hostapd/wpa_supplicant:

  WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use

  This patch is available from http://w1.fi/security/2015-6/
  (two different versions; one matching the exact hostap.git and another
  one for older snapshot prior to the unrelated changes in the file; the
  latter can be used to fix older wpa_supplicant versions).

- Update to wpa_supplicant v2.6 or newer, once available.

- Enable management frame protection in the AP and station configuration
  ("ieee80211w=2" in wpa_supplicant network profile).

- wpa_supplicant: Disable CONFIG_WNM=y in the build configuration
  (wpa_supplicant/.config) (i.e., remove the line or comment it out);
  note: this will disable all WNM functionality, so this mitigation option
  may not be appropriate for number of use cases.

-- 
Jouni Malinen                                            PGP id EFC895FA

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.