Bug 1131869 - (CVE-2019-9496) VUL-0: CVE-2019-9496: wpa_supplicant: SAE confirm missing state validation in hostapd/AP
(CVE-2019-9496)
VUL-0: CVE-2019-9496: wpa_supplicant: SAE confirm missing state validation in...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Clemens Famulla-Conrad
Security Team bot
https://smash.suse.de/issue/229084/
:
Depends on: 1131289 1131644
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-08 14:52 UTC by Marcus Meissner
Modified: 2021-02-10 08:20 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2019-04-08 15:26:15 UTC
does not affect wpa_supplicant as far as I read it.
Comment 2 Marcus Meissner 2019-04-10 15:21:31 UTC
public via oss-sec

Published: April 10, 2019
Identifiers:
- CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP)
Latest version available from: https://w1.fi/security/2019-3/

Vulnerability

When hostapd is used to operate an access point with SAE (Simultaneous
Authentication of Equals; also known as WPA3-Personal), an invalid
authentication sequence could result in the hostapd process terminating
due to a NULL pointer dereference when processing SAE confirm
message. This was caused by missing state validation steps when
processing the SAE confirm message in hostapd/AP mode.

Similar cases against the wpa_supplicant SAE station implementation had
already been tested by the hwsim test cases, but those sequences did not
trigger this specific code path in AP mode which is why the issue was
not discovered earlier.

An attacker in radio range of an access point using hostapd in SAE
configuration could use this issue to perform a denial of service attack
by forcing the hostapd process to terminate.


Vulnerable versions/configurations

All hostapd versions with SAE support (CONFIG_SAE=y in the build
configuration and SAE being enabled in the runtime configuration).


Possible mitigation steps

- Merge the following commit to hostapd and rebuild:

  SAE: Fix confirm message validation in error cases

  These patches are available from https://w1.fi/security/2019-3/

- Update to hostapd v2.8 or newer, once available

-- 
Jouni Malinen                                            PGP id EFC895FA
Comment 3 Marcus Meissner 2020-03-18 08:34:42 UTC
-> new maintainer Clemens
Comment 8 Clemens Famulla-Conrad 2021-02-10 08:20:51 UTC
wpa_supplicant was updated to 2.9 which include this fix.