Bug 1699153 (CVE-2019-9496)

Summary: CVE-2019-9496 hostapd: SAE confirm missing state validation in hostapd/AP
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dcaratti, linville, negativo17, sukulkar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-12 14:45:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1699154, 1699155    
Bug Blocks: 1687612    

Description Laura Pardo 2019-04-11 22:28:30 UTC
A vulnerability was found in hostapd. When used to operate an access point with SAE (SimultaneousAuthentication of Equals; also known as WPA3-Personal), an invalid authentication sequence could result in the hostapd process terminating due to a NULL pointer dereference when processing SAE confirm message. This was caused by missing state validation steps when processing the SAE confirm message in hostapd/AP mode. An attacker in radio range of an access point using hostapd in SAE configuration could use this issue to perform a denial of service attack by forcing the hostapd process to terminate.


References:
https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
https://wpa3.mathyvanhoef.com/

Upstream Patch:
https://w1.fi/cgit/hostap/commit/?id=ac8fa9ef198640086cf2ce7c94673be2b6a018a0

Comment 1 Laura Pardo 2019-04-11 22:28:46 UTC
Created hostapd tracking bugs for this issue:

Affects: epel-all [bug 1699155]
Affects: fedora-all [bug 1699154]

Comment 3 Riccardo Schirone 2019-04-12 14:28:37 UTC
Statement:

Red Hat Enterprise Linux 5, 6, and 7 do not ship hostapd and they are not affected by this flaw.

Comment 4 Riccardo Schirone 2019-04-12 14:30:42 UTC
According to the external reference:
"Similar cases against the wpa_supplicant SAE station implementation had already been tested by the hwsim test cases, but those sequences did not trigger this specific code path in AP mode which is why the issue was not discovered earlier."

wpa_supplicant as shipped in Red Hat Enterprise Linux is not compiled with CONFIG_SAE=y, but even if it was, this flaw would not affect it in AP mode anyway.

Comment 5 Laura Pardo 2019-04-12 20:30:50 UTC
Acknowledgments:

Name: Mathy Vanhoef (NYUAD), Eyal Ronen (Tel Aviv University & KU Leuven)

Comment 8 Fedora Update System 2019-04-23 18:49:17 UTC
hostapd-2.7-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2019-04-23 20:13:58 UTC
hostapd-2.7-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.