Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 Aug 2018 20:24:11 +0000 (UTC)
From:      Cy Schubert <cy@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r337819 - head/contrib/wpa/src/rsn_supp
Message-ID:  <201808142024.w7EKOB4o011520@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: cy
Date: Tue Aug 14 20:24:10 2018
New Revision: 337819
URL: https://svnweb.freebsd.org/changeset/base/337819

Log:
  MFV r337818:
  
  WPA: Ignore unauthenticated encrypted EAPOL-Key data
  
  Ignore unauthenticated encrypted EAPOL-Key data in supplicant
  processing. When using WPA2, these are frames that have the Encrypted
  flag set, but not the MIC flag.
  
  When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
  not the MIC flag, had their data field decrypted without first verifying
  the MIC. In case the data field was encrypted using RC4 (i.e., when
  negotiating TKIP as the pairwise cipher), this meant that
  unauthenticated but decrypted data would then be processed. An adversary
  could abuse this as a decryption oracle to recover sensitive information
  in the data field of EAPOL-Key messages (e.g., the group key).
  (CVE-2018-14526)
  
  Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
  
  Obtained from:  git://w1.fi/hostap.git
  MFC after:      1 day
  Security:       CVE-2018-14526
  Security:       VuXML: 6bedc863-9fbe-11e8-945f-206a8a720317

Modified:
  head/contrib/wpa/src/rsn_supp/wpa.c
Directory Properties:
  head/contrib/wpa/   (props changed)

Modified: head/contrib/wpa/src/rsn_supp/wpa.c
==============================================================================
--- head/contrib/wpa/src/rsn_supp/wpa.c	Tue Aug 14 20:10:25 2018	(r337818)
+++ head/contrib/wpa/src/rsn_supp/wpa.c	Tue Aug 14 20:24:10 2018	(r337819)
@@ -2072,6 +2072,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_a
 
 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
+		/*
+		 * Only decrypt the Key Data field if the frame's authenticity
+		 * was verified. When using AES-SIV (FILS), the MIC flag is not
+		 * set, so this check should only be performed if mic_len != 0
+		 * which is the case in this code branch.
+		 */
+		if (!(key_info & WPA_KEY_INFO_MIC)) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
+			goto out;
+		}
 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
 						    &key_data_len))
 			goto out;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808142024.w7EKOB4o011520>