A vulnerability was found in hostapd. When used to operate an access point with SAE (SimultaneousAuthentication of Equals; also known as WPA3-Personal), an invalid authentication sequence could result in the hostapd process terminating due to a NULL pointer dereference when processing SAE confirm message. This was caused by missing state validation steps when processing the SAE confirm message in hostapd/AP mode. An attacker in radio range of an access point using hostapd in SAE configuration could use this issue to perform a denial of service attack by forcing the hostapd process to terminate. References: https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt https://wpa3.mathyvanhoef.com/ Upstream Patch: https://w1.fi/cgit/hostap/commit/?id=ac8fa9ef198640086cf2ce7c94673be2b6a018a0
Created hostapd tracking bugs for this issue: Affects: epel-all [bug 1699155] Affects: fedora-all [bug 1699154]
Statement: Red Hat Enterprise Linux 5, 6, and 7 do not ship hostapd and they are not affected by this flaw.
According to the external reference: "Similar cases against the wpa_supplicant SAE station implementation had already been tested by the hwsim test cases, but those sequences did not trigger this specific code path in AP mode which is why the issue was not discovered earlier." wpa_supplicant as shipped in Red Hat Enterprise Linux is not compiled with CONFIG_SAE=y, but even if it was, this flaw would not affect it in AP mode anyway.
Acknowledgments: Name: Mathy Vanhoef (NYUAD), Eyal Ronen (Tel Aviv University & KU Leuven)
External References: https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt https://www.kb.cert.org/vuls/id/871675/
hostapd-2.7-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
hostapd-2.7-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.