[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] hostapd/wpa_supplicant: AP mode PMF disconnection protection bypass
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2019-09-12 19:14:53
Message-ID: 20190912191453.GA3629 () eldamar ! local
[Download RAW message or body]
On Wed, Sep 11, 2019 at 01:37:01PM +0300, Jouni Malinen wrote:
> Published: September 11, 2019
> Latest version available from: https://w1.fi/security/2019-7/
>
> Vulnerability
>
> hostapd (and wpa_supplicant when controlling AP mode) did not perform
> sufficient source address validation for some received Management frames
> and this could result in ending up sending a frame that caused
> associated stations to incorrectly believe they were disconnected from
> the network even if management frame protection (also known as PMF) was
> negotiated for the association. This could be considered to be a denial
> of service vulnerability since PMF is supposed to protect from this type
> of issues. It should be noted that if PMF is not enabled, there would be
> no protocol level protection against this type of denial service
> attacks.
>
> An attacker in radio range of the access point could inject a specially
> constructed unauthenticated IEEE 802.11 frame to the access point to
> cause associated stations to be disconnected and require a reconnection
> to the network.
>
>
> Vulnerable versions/configurations
>
> All hostapd and wpa_supplicants versions with PMF support
> (CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with
> PMF being enabled (optional or required). In addition, this would be
> applicable only when using user space based MLME/SME in AP mode, i.e.,
> when hostapd (or wpa_supplicant when controlling AP mode) would process
> authentication and association management frames. This condition would
> be applicable mainly with drivers that use mac80211.
>
>
> Possible mitigation steps
>
> - Merge the following commit to wpa_supplicant/hostapd and rebuild:
>
> AP: Silently ignore management frame from unexpected source address
>
> This patch is available from https://w1.fi/security/2019-7/
>
> - Update to wpa_supplicant/hostapd v2.10 or newer, once available
CVE-2019-16275 was assigned for this issue (requested via
https://cveform.mitre.org/).
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic