Date: Wed, 10 Apr 2019 18:15:34 +0300 From: Jouni Malinen <j@...fi> To: oss-security@...ts.openwall.com Subject: hostapd: SAE confirm missing state validation Published: April 10, 2019 Identifiers: - CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) Latest version available from: https://w1.fi/security/2019-3/ Vulnerability When hostapd is used to operate an access point with SAE (Simultaneous Authentication of Equals; also known as WPA3-Personal), an invalid authentication sequence could result in the hostapd process terminating due to a NULL pointer dereference when processing SAE confirm message. This was caused by missing state validation steps when processing the SAE confirm message in hostapd/AP mode. Similar cases against the wpa_supplicant SAE station implementation had already been tested by the hwsim test cases, but those sequences did not trigger this specific code path in AP mode which is why the issue was not discovered earlier. An attacker in radio range of an access point using hostapd in SAE configuration could use this issue to perform a denial of service attack by forcing the hostapd process to terminate. Vulnerable versions/configurations All hostapd versions with SAE support (CONFIG_SAE=y in the build configuration and SAE being enabled in the runtime configuration). Possible mitigation steps - Merge the following commit to hostapd and rebuild: SAE: Fix confirm message validation in error cases These patches are available from https://w1.fi/security/2019-3/ - Update to hostapd v2.8 or newer, once available -- Jouni Malinen PGP id EFC895FA
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.