CVE-2015-5310
published 2016-01-06CVE-2015-5310: The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not properly ignore key data in response frames when management frame protection (MFP) was not…
PriorityP422medium4.3CVSS 3.0
AVAACLPRNUINSUCLINAN
EPSS
1.17%
63.4th percentile
The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not properly ignore key data in response frames when management frame protection (MFP) was not negotiated, which allows remote attackers to inject arbitrary broadcast or multicast packets or cause a denial of service (ignored packets) via a WNM Sleep Mode response.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wpa | < wpa 2.3-2.3 (bookworm) | wpa 2.3-2.3 (bookworm) |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — |
CVSS provenance
nvdv3.04.3MEDIUMCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.03.3LOWAV:A/AC:L/Au:N/C:P/I:N/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w9vx-28m4-g24h: The WNM Sleep Mode code in wpa_supplicant 2
ghsa_unreviewed·2022-05-14
CVE-2015-5310 [MEDIUM] CWE-200 GHSA-w9vx-28m4-g24h: The WNM Sleep Mode code in wpa_supplicant 2
The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not properly ignore key data in response frames when management frame protection (MFP) was not negotiated, which allows remote attackers to inject arbitrary broadcast or multicast packets or cause a denial of service (ignored packets) via a WNM Sleep Mode response.
OSV
CVE-2015-5310: The WNM Sleep Mode code in wpa_supplicant 2
osv·2016-01-06·CVSS 4.3
CVE-2015-5310 [MEDIUM] CVE-2015-5310: The WNM Sleep Mode code in wpa_supplicant 2
The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not properly ignore key data in response frames when management frame protection (MFP) was not negotiated, which allows remote attackers to inject arbitrary broadcast or multicast packets or cause a denial of service (ignored packets) via a WNM Sleep Mode response.
OSV
wpa vulnerabilities
osv·2015-11-10·CVSS 4.3
CVE-2015-5310 [MEDIUM] wpa vulnerabilities
wpa vulnerabilities
It was discovered that wpa_supplicant incorrectly handled WMM Sleep Mode
Response frame processing. A remote attacker could use this issue to
perform broadcast/multicast packet injections, or cause a denial of
service. (CVE-2015-5310)
It was discovered that wpa_supplicant and hostapd incorrectly handled
certain EAP-pwd messages. A remote attacker could use this issue to cause a
denial of service. (CVE-2015-5314, CVE-2015-5315)
It was discovered that wpa_supplicant incorrectly handled certain EAP-pwd
Confirm messages. A remote attacker could use this issue to cause a
denial of service. This issue only applied to Ubuntu 15.10. (CVE-2015-5316)
Android
CVE-2015-5310: Android Security Bulletin 2016-01-01
CVE: CVE-2015-5310
Severity: MEDIUM
Affected AOSP versions: 4
vendor_android·2016-01-01·CVSS 4.3
CVE-2015-5310 [MEDIUM] CVE-2015-5310: Android Security Bulletin 2016-01-01
CVE: CVE-2015-5310
Severity: MEDIUM
Affected AOSP versions: 4
Android Security Bulletin 2016-01-01
CVE: CVE-2015-5310
Severity: MEDIUM
Affected AOSP versions: 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1
Red Hat
wpa_supplicant: unauthorized WNM Sleep Mode GTK control
vendor_redhat·2015-11-10·CVSS 4.3
CVE-2015-5310 [MEDIUM] wpa_supplicant: unauthorized WNM Sleep Mode GTK control
wpa_supplicant: unauthorized WNM Sleep Mode GTK control
The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not properly ignore key data in response frames when management frame protection (MFP) was not negotiated, which allows remote attackers to inject arbitrary broadcast or multicast packets or cause a denial of service (ignored packets) via a WNM Sleep Mode response.
Statement: Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not include the WNM functionality.
Package: wpa_supplicant (Red Hat Enterprise Linux 5) - Not affected
Package: wpa_supplicant (Red Hat Enterprise Linux 6) - Not affected
Package: wpa_supplicant (Red Hat Enterprise Linux 7) - Not affected
Ubuntu
wpa_supplicant and hostapd vulnerabilities
vendor_ubuntu·2015-11-10·CVSS 4.3
CVE-2015-5310 [MEDIUM] wpa_supplicant and hostapd vulnerabilities
Title: wpa_supplicant and hostapd vulnerabilities
Summary: Several security issues were fixed in wpa_supplicant and hostapd.
It was discovered that wpa_supplicant incorrectly handled WMM Sleep Mode
Response frame processing. A remote attacker could use this issue to
perform broadcast/multicast packet injections, or cause a denial of
service. (CVE-2015-5310)
It was discovered that wpa_supplicant and hostapd incorrectly handled
certain EAP-pwd messages. A remote attacker could use this issue to cause a
denial of service. (CVE-2015-5314, CVE-2015-5315)
It was discovered that wpa_supplicant incorrectly handled certain EAP-pwd
Confirm messages. A remote attacker could use this issue to cause a
denial of service. This issue only applied to Ubuntu 15.10. (CVE-2015-5316)
Instructions: After a
Debian
CVE-2015-5310: wpa - The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not properly ignor...
vendor_debian·2015·CVSS 4.3
CVE-2015-5310 [MEDIUM] CVE-2015-5310: wpa - The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not properly ignor...
The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not properly ignore key data in response frames when management frame protection (MFP) was not negotiated, which allows remote attackers to inject arbitrary broadcast or multicast packets or cause a denial of service (ignored packets) via a WNM Sleep Mode response.
Scope: local
bookworm: resolved (fixed in 2.3-2.3)
bullseye: resolved (fixed in 2.3-2.3)
forky: resolved (fixed in 2.3-2.3)
sid: resolved (fixed in 2.3-2.3)
trixie: resolved (fixed in 2.3-2.3)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-5310 wpa_supplicant: unauthorized WNM Sleep Mode GTK control [fedora-all]
bugzilla·2015-11-11·CVSS 4.3
CVE-2015-5310 [MEDIUM] CVE-2015-5310 wpa_supplicant: unauthorized WNM Sleep Mode GTK control [fedora-all]
CVE-2015-5310 wpa_supplicant: unauthorized WNM Sleep Mode GTK control [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported version
Bugzilla
CVE-2015-5310 wpa_supplicant: unauthorized WNM Sleep Mode GTK control
bugzilla·2015-11-04·CVSS 4.3
CVE-2015-5310 [MEDIUM] CVE-2015-5310 wpa_supplicant: unauthorized WNM Sleep Mode GTK control
CVE-2015-5310 wpa_supplicant: unauthorized WNM Sleep Mode GTK control
The following flaw was reported in wpa_supplicant:
A vulnerability in wpa_supplicant was found in WMM Sleep Mode Response frame processing in a case where the association uses RSN (WPA2-Personal or WPA2-Enterprise), but does not use management frame protection (MFP, also known as PMF = protected management frames). This WNM Sleep Mode mechanism was not designed to be used without management frame protection, but there was no explicit check for that in wpa_supplicant.
wpa_supplicant accepted the updated GTK keys from this frame regardless of whether management frame protection was negotiated for the association. This may result in an unauthenticated, injected frame being able to replace the GTK (the key used to protect
http://source.android.com/security/bulletin/2016-01-01.htmlhttp://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txthttp://www.debian.org/security/2015/dsa-3397http://www.openwall.com/lists/oss-security/2015/11/10/9http://www.securityfocus.com/bid/77541http://www.securitytracker.com/id/1034592http://www.ubuntu.com/usn/USN-2808-1http://source.android.com/security/bulletin/2016-01-01.htmlhttp://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txthttp://www.debian.org/security/2015/dsa-3397http://www.openwall.com/lists/oss-security/2015/11/10/9http://www.securityfocus.com/bid/77541http://www.securitytracker.com/id/1034592http://www.ubuntu.com/usn/USN-2808-1
2016-01-06
Published