Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20190912191453.GA3629@eldamar.local>
Date: Thu, 12 Sep 2019 21:14:53 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Jouni Malinen <j@...fi>
Subject: Re: hostapd/wpa_supplicant: AP mode PMF disconnection
 protection bypass

On Wed, Sep 11, 2019 at 01:37:01PM +0300, Jouni Malinen wrote:
> Published: September 11, 2019
> Latest version available from: https://w1.fi/security/2019-7/
> 
> Vulnerability
> 
> hostapd (and wpa_supplicant when controlling AP mode) did not perform
> sufficient source address validation for some received Management frames
> and this could result in ending up sending a frame that caused
> associated stations to incorrectly believe they were disconnected from
> the network even if management frame protection (also known as PMF) was
> negotiated for the association. This could be considered to be a denial
> of service vulnerability since PMF is supposed to protect from this type
> of issues. It should be noted that if PMF is not enabled, there would be
> no protocol level protection against this type of denial service
> attacks.
> 
> An attacker in radio range of the access point could inject a specially
> constructed unauthenticated IEEE 802.11 frame to the access point to
> cause associated stations to be disconnected and require a reconnection
> to the network.
> 
> 
> Vulnerable versions/configurations
> 
> All hostapd and wpa_supplicants versions with PMF support
> (CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with
> PMF being enabled (optional or required). In addition, this would be
> applicable only when using user space based MLME/SME in AP mode, i.e.,
> when hostapd (or wpa_supplicant when controlling AP mode) would process
> authentication and association management frames. This condition would
> be applicable mainly with drivers that use mac80211.
> 
> 
> Possible mitigation steps
> 
> - Merge the following commit to wpa_supplicant/hostapd and rebuild:
> 
>   AP: Silently ignore management frame from unexpected source address
> 
>   This patch is available from https://w1.fi/security/2019-7/
> 
> - Update to wpa_supplicant/hostapd v2.10 or newer, once available

CVE-2019-16275 was assigned for this issue (requested via
https://cveform.mitre.org/).

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.