Bug 596042 (CVE-2015-5310, CVE-2015-5315, CVE-2015-5316, CVE-2016-4477)

Description Thomas Deutschmann (RETIRED) 2016-10-03 13:40:49 UTC

wpa_supplicant unauthorized WNM Sleep Mode GTK control (CVE-2015-5310)

A vulnerability in wpa_supplicant was found in WMM Sleep Mode Response
frame processing in a case where the association uses RSN (WPA2-Personal
or WPA2-Enterprise), but does not use management frame protection (MFP,
also known as PMF = protected management frames). This WNM Sleep Mode
mechanism was not designed to be used without management frame
protection, but there was no explicit check for that in wpa_supplicant.

wpa_supplicant accepted the updated GTK keys from this frame regardless
of whether management frame protection was negotiated for the
association. This may result in an unauthenticated, injected frame being
able to replace the GTK (the key used to protected broadcast and
multicast Data frames).

This vulnerability can be used to perform broadcast/multicast packet
injection and denial of service (prevent authorized broadcast/multicast
packets from being accepted) attacks by an attacker that is within radio
range of the station devices.


Vulnerable versions/configurations

wpa_supplicant v2.0-v2.5 with CONFIG_WNM=y the build configuration
(wpa_supplicant/.config) and a driver that sends WNM Action frames to
user space for processing. For example, most cfg80211/mac80211-based
drivers do this. However, some drivers do not seem to send the WNM Sleep
Mode Response frame to user space even though they are reporting some
other WNM Action frames. When wpa_supplicant is used with such a driver,
it may not be possible to trigger this vulnerability.

http://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt



EAP-pwd last fragment validation (CVE-2015-5315)

A vulnerability was found in EAP-pwd server and peer implementation used
in hostapd and wpa_supplicant, respectively. When an incoming EAP-pwd
message is fragmented, the remaining reassembly buffer length was not
checked for the last fragment (but was checked for other
fragments). This allowed a suitably constructed last fragment frame to
try to add extra data that would go beyond the buffer. The length
validation code in wpabuf_put_data() prevents an actual buffer write
overflow from occurring, but this results in process termination.

For hostapd used with an internal EAP server and EAP-pwd enabled in the
runtime configuration, this could allow a denial of service attack by an
attacker within radio range of the AP device.

For hostapd used as a RADIUS server with EAP-pwd enabled in the runtime
configuration, this could allow a denial of service attack by an
attacker within radio range of any AP device that is authorized to use
the RADIUS server.

For wpa_supplicant with EAP-pwd enabled in a network configuration
profile, this could allow a denial of service attack by an attacker
within radio range.


Vulnerable versions/configurations

hostapd v2.0-v2.5 with CONFIG_EAP_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.

wpa_supplicant v2.0-v2.5 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.

http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt



EAP-pwd unexpected Confirm message processing (CVE-2015-5316)

A vulnerability was found in EAP-pwd peer implementation used in
wpa_supplicant. If an EAP-pwd Confirm message is received unexpectedly
before the Identity exchange, the error path processing ended up
dereferencing a NULL pointer and terminating the process.

For wpa_supplicant with EAP-pwd enabled in a network configuration
profile, this could allow a denial of service attack by an attacker
within radio range.


Vulnerable versions/configurations

wpa_supplicant v2.3-v2.5 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.

http://w1.fi/security/2015-8/eap-pwd-unexpected-confirm.txt




WPS configuration update vulnerability with malformed passphrase (CVE-2016-4476)

A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If this
parameter has been updated to include control characters either through
a WPS operation (CVE-2016-4476) or through local configuration change
over the wpa_supplicant control interface (CVE-2016-4477), the resulting
configuration file may prevent the hostapd and wpa_supplicant from
starting when the updated file is used. In addition for wpa_supplicant,
it may be possible to load a local library file and execute code from
there with the same privileges under which the wpa_supplicant process
runs.

The WPS trigger for this requires local user action to authorize the WPS
operation in which a new configuration would be received. The attacker
would also need to be in radio range of the device or have access to the
IP network to act as a WPS External Registrar. Such an attack could
result in denial of service by not allowing hostapd or wpa_supplicant to
start after they have been stopped.

The local configuration update through the control interface SET_NETWORK
command could allow privilege escalation for the local user to run code
from a locally stored library file under the same privileges as the
wpa_supplicant process has. The assumption here is that a not fully
trusted user/application might have access through a connection manager
to set network profile parameters like psk, but would not have access to
set other configuration file parameters. If the connection manager in
such a case does not filter out control characters from the psk value,
it could have been possible to practically update the global parameters
by embedding a newline character within the psk value. In addition, the
untrusted user/application would need to be able to install a library
file somewhere on the device from where the wpa_supplicant process has
privileges to load the library.

Similarly to the SET_NETWORK case, if a connection manager exposes
access to the SET_CRED or SET commands, similar issue with newline
characters can exist as those commands do not filter out control
characters from the value.

It should also be noted that providing unlimited access to the
wpa_supplicant control interface would allow arbitrary SET commands to
be issued. Such unlimited access should not be provided to untrusted
users/applications.


Vulnerable versions/configurations

For the local control interface attack vector (CVE-2016-4477):

wpa_supplicant v0.4.0-v2.5 with control interface enabled

update_config=1 must have been enabled in the configuration file.


For the WPS attack vector (CVE-2016-4476):

wpa_supplicant v0.6.7-v2.5 with CONFIG_WPS build option enabled
hostapd v0.6.7-v2.5 with CONFIG_WPS build option enabled

WPS needs to be enabled in the runtime operation and the WPS operation
needs to have been authorized by the local user over the control
interface. For wpa_supplicant, update_config=1 must have been enabled in
the configuration file.

http://w1.fi/security/2016-1/psk-parameter-config-update.txt



Configuration update vulnerability with malformed parameters set over the local control interface (CVE-2016-4477)

A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If this
parameter has been updated to include control characters either through
a WPS operation (CVE-2016-4476) or through local configuration change
over the wpa_supplicant control interface (CVE-2016-4477), the resulting
configuration file may prevent the hostapd and wpa_supplicant from
starting when the updated file is used. In addition for wpa_supplicant,
it may be possible to load a local library file and execute code from
there with the same privileges under which the wpa_supplicant process
runs.

The WPS trigger for this requires local user action to authorize the WPS
operation in which a new configuration would be received. The attacker
would also need to be in radio range of the device or have access to the
IP network to act as a WPS External Registrar. Such an attack could
result in denial of service by not allowing hostapd or wpa_supplicant to
start after they have been stopped.

The local configuration update through the control interface SET_NETWORK
command could allow privilege escalation for the local user to run code
from a locally stored library file under the same privileges as the
wpa_supplicant process has. The assumption here is that a not fully
trusted user/application might have access through a connection manager
to set network profile parameters like psk, but would not have access to
set other configuration file parameters. If the connection manager in
such a case does not filter out control characters from the psk value,
it could have been possible to practically update the global parameters
by embedding a newline character within the psk value. In addition, the
untrusted user/application would need to be able to install a library
file somewhere on the device from where the wpa_supplicant process has
privileges to load the library.

Similarly to the SET_NETWORK case, if a connection manager exposes
access to the SET_CRED or SET commands, similar issue with newline
characters can exist as those commands do not filter out control
characters from the value.

It should also be noted that providing unlimited access to the
wpa_supplicant control interface would allow arbitrary SET commands to
be issued. Such unlimited access should not be provided to untrusted
users/applications.


Vulnerable versions/configurations

For the local control interface attack vector (CVE-2016-4477):

wpa_supplicant v0.4.0-v2.5 with control interface enabled

update_config=1 must have been enabled in the configuration file.


For the WPS attack vector (CVE-2016-4476):

wpa_supplicant v0.6.7-v2.5 with CONFIG_WPS build option enabled
hostapd v0.6.7-v2.5 with CONFIG_WPS build option enabled

WPS needs to be enabled in the runtime operation and the WPS operation
needs to have been authorized by the local user over the control
interface. For wpa_supplicant, update_config=1 must have been enabled in
the configuration file.

http://w1.fi/security/2016-1/psk-parameter-config-update.txt