Ignore unauthenticated encrypted EAPOL-Key data

CVE-2018-14526 Upstream advisory: https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
2018-08-08 19:22:31 +02:00 · 2018-08-08 19:22:31 +02:00 · 1a3463cc4a
commit 1a3463cc4a
parent ce8fa396fd
2 changed files with 52 additions and 1 deletions
--- a/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
+++ b/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
@ -0,0 +1,44 @@
 From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
 From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
 Date: Sun, 15 Jul 2018 01:25:53 +0200
 Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
 Ignore unauthenticated encrypted EAPOL-Key data in supplicant
 processing. When using WPA2, these are frames that have the Encrypted
 flag set, but not the MIC flag.
 When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
 not the MIC flag, had their data field decrypted without first verifying
 the MIC. In case the data field was encrypted using RC4 (i.e., when
 negotiating TKIP as the pairwise cipher), this meant that
 unauthenticated but decrypted data would then be processed. An adversary
 could abuse this as a decryption oracle to recover sensitive information
 in the data field of EAPOL-Key messages (e.g., the group key).
 (CVE-2018-14526)
 Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
 ---
 src/rsn_supp/wpa.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c
 --- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c	2016-10-02 21:51:11.000000000 +0300
 +++ wpa_supplicant-2.6/src/rsn_supp/wpa.c	2018-08-08 16:55:11.506831029 +0300
@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
 +		/*
 +		 * Only decrypt the Key Data field if the frame's authenticity
 +		 * was verified. When using AES-SIV (FILS), the MIC flag is not
 +		 * set, so this check should only be performed if mic_len != 0
 +		 * which is the case in this code branch.
 +		 */
 +		if (!(key_info & WPA_KEY_INFO_MIC)) {
 +			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 +				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
 +			goto out;
 +		}
 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
 						    &key_data_len))
 			goto out;
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
 Version: 2.6
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: BSD
 Group: System Environment/Base
 Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@ -106,6 +106,9 @@ Patch62: rh1567474-0002-D-Bus-Add-pmf-to-global-capabilities.patch
 # fix wrong encoding of NL80211_ATTR_SMPS_MODE (rh #1570903)
 Patch63: rh1570903-nl80211-Fix-NL80211_ATTR_SMPS_MODE-encoding.patch
 # Unauthenticated EAPOL-Key decryption in wpa_supplicant (CVE-2018-14526)
 Patch64: https://w1.fi/security/2018-1/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
 URL: http://w1.fi/wpa_supplicant/
 %if %{build_gui}
@ -210,6 +213,7 @@ Graphical User Interface for wpa_supplicant written using QT
 %patch61 -p1 -b .rh1567474-pmf-0001
 %patch62 -p1 -b .rh1567474-pmf-0002
 %patch63 -p1 -b .rh1570903
 %patch64 -p1 -b .2018-1
 %build
 pushd wpa_supplicant
@ -307,6 +311,9 @@ chmod -R 0644 %{name}/examples/*.py
 %endif
 %changelog
 * Wed Aug  8 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-18
 - Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526)
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.6-17
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild