Bugzilla – Bug 1159188
VUL-0: CVE-2019-5061: hostapd: denial-of-service vulnerability by triggering AP to send IAPP location updates
Last modified: 2019-12-13 23:12:19 UTC
CVE-2019-5061 An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby Aps of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability. The description says 2.6, but I assume that it affects hostapd until 018edec9b2bd3db20605117c32ff79c1e625c432 where IAPP support is remove. So Leap 15.1 and Factory affected References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5061 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5061.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5061 https://talosintelligence.com/vulnerability_reports/TALOS-2019-0849