openwrt/package/network/services
Stefan Lippers-Hollmann 57ab9e3add hostapd: fix CVE-2019-9496
hostapd: fix SAE confirm missing state validation

Published: April 10, 2019
Identifiers:
- CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP)
Latest version available from: https://w1.fi/security/2019-3/

Vulnerability

When hostapd is used to operate an access point with SAE (Simultaneous
Authentication of Equals; also known as WPA3-Personal), an invalid
authentication sequence could result in the hostapd process terminating
due to a NULL pointer dereference when processing SAE confirm
message. This was caused by missing state validation steps when
processing the SAE confirm message in hostapd/AP mode.

Similar cases against the wpa_supplicant SAE station implementation had
already been tested by the hwsim test cases, but those sequences did not
trigger this specific code path in AP mode which is why the issue was
not discovered earlier.

An attacker in radio range of an access point using hostapd in SAE
configuration could use this issue to perform a denial of service attack
by forcing the hostapd process to terminate.

Vulnerable versions/configurations

All hostapd versions with SAE support (CONFIG_SAE=y in the build
configuration and SAE being enabled in the runtime configuration).

Possible mitigation steps

- Merge the following commit to hostapd and rebuild:

  SAE: Fix confirm message validation in error cases

  These patches are available from https://w1.fi/security/2019-3/

- Update to hostapd v2.8 or newer, once available

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-04-11 11:26:01 +02:00
..
dnsmasq package/dnsmasq: add max_ttl/min_cache_ttl/max_cache_ttl 2019-02-24 01:48:25 +01:00
dropbear dropbear: bump to 2019.78 2019-04-07 20:32:55 +02:00
ead
hostapd hostapd: fix CVE-2019-9496 2019-04-11 11:26:01 +02:00
igmpproxy
ipset-dns
lldpd
odhcpd odhcpd: update to latest git HEAD 2019-04-05 12:04:01 +02:00
omcproxy omcproxy: define configuration file 2019-02-27 10:26:14 +01:00
openvpn openvpn: openssl: explicitly depend on deprecated APIs 2019-04-03 10:00:39 +02:00
openvpn-easy-rsa
ppp ppp: update to version 2.4.7.git-2018-06-23 2019-01-25 14:55:46 +01:00
relayd
samba36 samba36: allow build with no ipv6 support 2019-02-17 19:22:39 +01:00
uhttpd uhttpd: disable concurrent requests by default 2019-01-30 10:12:00 +01:00
umdns
wireguard wireguard: remove obvious comments 2019-04-09 22:25:11 +02:00