diff options
| author | Stefan Lippers-Hollmann <s.l-h@gmx.de> | 2019-04-11 02:56:37 +0200 |
|---|---|---|
| committer | Jo-Philipp Wich <jo@mein.io> | 2019-04-11 11:26:01 +0200 |
| commit | 57ab9e3add0f10795b7db5b1f3d1b2eb9b8f92c9 (patch) | |
| tree | 25c5f4e245024c85055a08e7dee0c9fa7871a436 | |
| parent | 262229e9248a5235844cdab6bb87fcb77b359b30 (diff) | |
| download | upstream-57ab9e3add0f10795b7db5b1f3d1b2eb9b8f92c9.tar.gz upstream-57ab9e3add0f10795b7db5b1f3d1b2eb9b8f92c9.tar.bz2 upstream-57ab9e3add0f10795b7db5b1f3d1b2eb9b8f92c9.zip | |
hostapd: fix CVE-2019-9496
hostapd: fix SAE confirm missing state validation
Published: April 10, 2019
Identifiers:
- CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP)
Latest version available from: https://w1.fi/security/2019-3/
Vulnerability
When hostapd is used to operate an access point with SAE (Simultaneous
Authentication of Equals; also known as WPA3-Personal), an invalid
authentication sequence could result in the hostapd process terminating
due to a NULL pointer dereference when processing SAE confirm
message. This was caused by missing state validation steps when
processing the SAE confirm message in hostapd/AP mode.
Similar cases against the wpa_supplicant SAE station implementation had
already been tested by the hwsim test cases, but those sequences did not
trigger this specific code path in AP mode which is why the issue was
not discovered earlier.
An attacker in radio range of an access point using hostapd in SAE
configuration could use this issue to perform a denial of service attack
by forcing the hostapd process to terminate.
Vulnerable versions/configurations
All hostapd versions with SAE support (CONFIG_SAE=y in the build
configuration and SAE being enabled in the runtime configuration).
Possible mitigation steps
- Merge the following commit to hostapd and rebuild:
SAE: Fix confirm message validation in error cases
These patches are available from https://w1.fi/security/2019-3/
- Update to hostapd v2.8 or newer, once available
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
| -rw-r--r-- | package/network/services/hostapd/Makefile | 2 | ||||
| -rw-r--r-- | package/network/services/hostapd/patches/063-0010-SAE-Fix-confirm-message-validation-in-error-cases.patch | 52 |
2 files changed, 53 insertions, 1 deletions
diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index b7190d37b9..6308dca84f 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=hostapd -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE_URL:=http://w1.fi/hostap.git PKG_SOURCE_PROTO:=git diff --git a/package/network/services/hostapd/patches/063-0010-SAE-Fix-confirm-message-validation-in-error-cases.patch b/package/network/services/hostapd/patches/063-0010-SAE-Fix-confirm-message-validation-in-error-cases.patch new file mode 100644 index 0000000000..3a3658e640 --- /dev/null +++ b/package/network/services/hostapd/patches/063-0010-SAE-Fix-confirm-message-validation-in-error-cases.patch @@ -0,0 +1,52 @@ +From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 5 Mar 2019 23:43:25 +0200 +Subject: [PATCH 10/14] SAE: Fix confirm message validation in error cases + +Explicitly verify that own and peer commit scalar/element are available +when trying to check SAE confirm message. It could have been possible to +hit a NULL pointer dereference if the peer element could not have been +parsed. (CVE-2019-9496) + +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/common/sae.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -1464,23 +1464,31 @@ int sae_check_confirm(struct sae_data *s + + wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data)); + +- if (sae->tmp == NULL) { ++ if (!sae->tmp || !sae->peer_commit_scalar || ++ !sae->tmp->own_commit_scalar) { + wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available"); + return -1; + } + +- if (sae->tmp->ec) ++ if (sae->tmp->ec) { ++ if (!sae->tmp->peer_commit_element_ecc || ++ !sae->tmp->own_commit_element_ecc) ++ return -1; + sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar, + sae->tmp->peer_commit_element_ecc, + sae->tmp->own_commit_scalar, + sae->tmp->own_commit_element_ecc, + verifier); +- else ++ } else { ++ if (!sae->tmp->peer_commit_element_ffc || ++ !sae->tmp->own_commit_element_ffc) ++ return -1; + sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar, + sae->tmp->peer_commit_element_ffc, + sae->tmp->own_commit_scalar, + sae->tmp->own_commit_element_ffc, + verifier); ++ } + + if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) { + wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch"); |