Changeset 2338

Oct 2, 2013, 8:44:27 AM (5 years ago)

Backport r2328: ra_wifi: Disable WPS enrollee and proxy roles

In the WPS protocol, an access point can act as an enrollee to an
external registrar, allowing that external registrar to access and set
the configuration details of the AP. Authentication happens using the
AP's pin code (which is internally generated in the wifi driver, but not
shown to the user anywhere). This mode is not supported on the 2.0n, but
it was accidentally enabled nonetheless.

Due to the way the WPS authentication protocol works, this PIN code can
be easily bruteforced if the PIN code remains fixed. The WPS
specification has provisions against this (changing the pin code or
implementing a lockout), but the Ralink wifi driver implements none of
these. This problem is commonly referred to as the "WPS PIN
vulnerability" (CVE-2011-5053).

It was previously believed that the 2.0n was not vulnerable to this
attack, because it only supports WPS-PBC (pushbutton), not WPS-PIN.
However this only concerns the authentication of wifi client (enrollee)
when the AP is acting as the registrar, which is distinct from the
external registrar mode that can be exploited.

This commit completely disables this external registrar mode by
disabling the "proxy" and "enrollee" roles in the wifi driver.

1 edited


  • branches/2.3.7/fon/ra_wifi/files/lib/wifi/

    r2194 r2338  
    237237                                        iwpriv $ifname set "SSID=${ssid}"
    238238                                        if [ "$wps" == "1" ]; then
    239                                                 iwpriv $ifname set WscConfMode=7
     239                                                iwpriv $ifname set WscConfMode=4
    240240                                        else
    241241                                                iwpriv $ifname set WscConfMode=0
Note: See TracChangeset for help on using the changeset viewer.