Bug 1699153 (CVE-2019-9496) - CVE-2019-9496 hostapd: SAE confirm missing state validation in hostapd/AP
Summary: CVE-2019-9496 hostapd: SAE confirm missing state validation in hostapd/AP
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-9496
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1699154 1699155
Blocks: 1687612
TreeView+ depends on / blocked
 
Reported: 2019-04-11 22:28 UTC by Laura Pardo
Modified: 2019-09-29 15:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-12 14:45:07 UTC


Attachments (Terms of Use)

Description Laura Pardo 2019-04-11 22:28:30 UTC
A vulnerability was found in hostapd. When used to operate an access point with SAE (SimultaneousAuthentication of Equals; also known as WPA3-Personal), an invalid authentication sequence could result in the hostapd process terminating due to a NULL pointer dereference when processing SAE confirm message. This was caused by missing state validation steps when processing the SAE confirm message in hostapd/AP mode. An attacker in radio range of an access point using hostapd in SAE configuration could use this issue to perform a denial of service attack by forcing the hostapd process to terminate.


References:
https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
https://wpa3.mathyvanhoef.com/

Upstream Patch:
https://w1.fi/cgit/hostap/commit/?id=ac8fa9ef198640086cf2ce7c94673be2b6a018a0

Comment 1 Laura Pardo 2019-04-11 22:28:46 UTC
Created hostapd tracking bugs for this issue:

Affects: epel-all [bug 1699155]
Affects: fedora-all [bug 1699154]

Comment 3 Riccardo Schirone 2019-04-12 14:28:37 UTC
Statement:

Red Hat Enterprise Linux 5, 6, and 7 do not ship hostapd and they are not affected by this flaw.

Comment 4 Riccardo Schirone 2019-04-12 14:30:42 UTC
According to the external reference:
"Similar cases against the wpa_supplicant SAE station implementation had already been tested by the hwsim test cases, but those sequences did not trigger this specific code path in AP mode which is why the issue was not discovered earlier."

wpa_supplicant as shipped in Red Hat Enterprise Linux is not compiled with CONFIG_SAE=y, but even if it was, this flaw would not affect it in AP mode anyway.

Comment 5 Laura Pardo 2019-04-12 20:30:50 UTC
Acknowledgments:

Name: Mathy Vanhoef (NYUAD), Eyal Ronen (Tel Aviv University & KU Leuven)

Comment 8 Fedora Update System 2019-04-23 18:49:17 UTC
hostapd-2.7-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2019-04-23 20:13:58 UTC
hostapd-2.7-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.