'Re: [oss-security] hostapd/wpa_supplicant: AP mode PMF disconnection protection bypass'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] hostapd/wpa_supplicant: AP mode PMF disconnection protection bypass
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2019-09-12 19:14:53
Message-ID: 20190912191453.GA3629 () eldamar ! local
[Download RAW message or body]

On Wed, Sep 11, 2019 at 01:37:01PM +0300, Jouni Malinen wrote:
> Published: September 11, 2019
> Latest version available from: https://w1.fi/security/2019-7/
> 
> Vulnerability
> 
> hostapd (and wpa_supplicant when controlling AP mode) did not perform
> sufficient source address validation for some received Management frames
> and this could result in ending up sending a frame that caused
> associated stations to incorrectly believe they were disconnected from
> the network even if management frame protection (also known as PMF) was
> negotiated for the association. This could be considered to be a denial
> of service vulnerability since PMF is supposed to protect from this type
> of issues. It should be noted that if PMF is not enabled, there would be
> no protocol level protection against this type of denial service
> attacks.
> 
> An attacker in radio range of the access point could inject a specially
> constructed unauthenticated IEEE 802.11 frame to the access point to
> cause associated stations to be disconnected and require a reconnection
> to the network.
> 
> 
> Vulnerable versions/configurations
> 
> All hostapd and wpa_supplicants versions with PMF support
> (CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with
> PMF being enabled (optional or required). In addition, this would be
> applicable only when using user space based MLME/SME in AP mode, i.e.,
> when hostapd (or wpa_supplicant when controlling AP mode) would process
> authentication and association management frames. This condition would
> be applicable mainly with drivers that use mac80211.
> 
> 
> Possible mitigation steps
> 
> - Merge the following commit to wpa_supplicant/hostapd and rebuild:
> 
>   AP: Silently ignore management frame from unexpected source address
> 
>   This patch is available from https://w1.fi/security/2019-7/
> 
> - Update to wpa_supplicant/hostapd v2.10 or newer, once available

CVE-2019-16275 was assigned for this issue (requested via
https://cveform.mitre.org/).

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic