wpa_supplicant unauthorized WNM Sleep Mode GTK control Published: November 10, 2015 Identifier: CVE-2015-5310 Latest version available from: http://w1.fi/security/2015-6/ Vulnerability A vulnerability in wpa_supplicant was found in WMM Sleep Mode Response frame processing in a case where the association uses RSN (WPA2-Personal or WPA2-Enterprise), but does not use management frame protection (MFP, also known as PMF = protected management frames). This WNM Sleep Mode mechanism was not designed to be used without management frame protection, but there was no explicit check for that in wpa_supplicant. wpa_supplicant accepted the updated GTK keys from this frame regardless of whether management frame protection was negotiated for the association. This may result in an unauthenticated, injected frame being able to replace the GTK (the key used to protected broadcast and multicast Data frames). This vulnerability can be used to perform broadcast/multicast packet injection and denial of service (prevent authorized broadcast/multicast packets from being accepted) attacks by an attacker that is within radio range of the station devices. Vulnerable versions/configurations wpa_supplicant v2.0-v2.5 with CONFIG_WNM=y the build configuration (wpa_supplicant/.config) and a driver that sends WNM Action frames to user space for processing. For example, most cfg80211/mac80211-based drivers do this. However, some drivers do not seem to send the WNM Sleep Mode Response frame to user space even though they are reporting some other WNM Action frames. When wpa_supplicant is used with such a driver, it may not be possible to trigger this vulnerability. Possible mitigation steps - Merge the following commit and rebuild hostapd/wpa_supplicant: WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use This patch is available from http://w1.fi/security/2015-6/ (two different versions; one matching the exact hostap.git and another one for older snapshot prior to the unrelated changes in the file; the latter can be used to fix older wpa_supplicant versions). - Update to wpa_supplicant v2.6 or newer, once available. - Enable management frame protection in the AP and station configuration ("ieee80211w=2" in wpa_supplicant network profile). - wpa_supplicant: Disable CONFIG_WNM=y in the build configuration (wpa_supplicant/.config) (i.e., remove the line or comment it out); note: this will disable all WNM functionality, so this mitigation option may not be appropriate for number of use cases.