3e9f3a3ebd
AP mode PMF disconnection protection bypass Published: September 11, 2019 Identifiers: - CVE-2019-16275 Latest version available from: https://w1.fi/security/2019-7/ Vulnerability hostapd (and wpa_supplicant when controlling AP mode) did not perform sufficient source address validation for some received Management frames and this could result in ending up sending a frame that caused associated stations to incorrectly believe they were disconnected from the network even if management frame protection (also known as PMF) was negotiated for the association. This could be considered to be a denial of service vulnerability since PMF is supposed to protect from this type of issues. It should be noted that if PMF is not enabled, there would be no protocol level protection against this type of denial service attacks. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Vulnerable versions/configurations All hostapd and wpa_supplicants versions with PMF support (CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with PMF being enabled (optional or required). In addition, this would be applicable only when using user space based MLME/SME in AP mode, i.e., when hostapd (or wpa_supplicant when controlling AP mode) would process authentication and association management frames. This condition would be applicable mainly with drivers that use mac80211. Possible mitigation steps - Merge the following commit to wpa_supplicant/hostapd and rebuild: AP: Silently ignore management frame from unexpected source address This patch is available from https://w1.fi/security/2019-7/ - Update to wpa_supplicant/hostapd v2.10 or newer, once available |
||
---|---|---|
.. | ||
default.nix |