CVE-2015-5310

## Vulnerability wpa_supplicant versions 2.0 through 2.5 with CONFIG_WNM=y and a driver that forwards WNM Action frames to userspace (e.g., most cfg80211/mac80211-based drivers) accept the Group Temporal Key (GTK) from a WNM Sleep Mode Response frame even when management frame protection (MFP/PMF) was not negotiated for the association [4]. The WNM Sleep Mode mechanism was not designed for use without MFP, but no explicit check existed [3].

Exploitation

An attacker within radio range of a station using an affected wpa_supplicant version can inject a forged WNM Sleep Mode Response frame containing a new GTK [4]. No authentication or user interaction is required; the attacker only needs to be able to send Wi-Fi frames to the victim station.

Impact

Successful exploitation allows the attacker to replace the GTK, enabling injection of arbitrary broadcast or multicast packets that will be accepted by the victim, or to cause a denial of service by making the station ignore legitimate broadcast/multicast packets [4]. This can lead to man-in-the-middle attacks on broadcast traffic or disruption of network services.

Mitigation

The vulnerability is fixed in wpa_supplicant version 2.6 [4]. The patch commit "WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use" should be applied [4]. Android devices received the fix in the January 2016 security bulletin (builds LMY49F or later, Android 6.0 with patch level January 1, 2016) [1]. Ubuntu users can update via USN-2808-1 [2]. No workaround is available if the patch cannot be applied; disabling WNM (if possible) may reduce exposure.