Headline
CVE-2019-5062: TALOS-2019-0850 || Cisco Talos Intelligence Group
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.
Summary
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.
Tested Versions
hostapd version 2.6 on a Raspberry Pi.
Product URLs
https://w1.fi/hostapd/
CVSSv3 Score
7.4 - AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE
CWE-440 - Expected Behavior Violation
Details
When hostapd receives an Authentication and an AssociationRequest packet, it begins the handshake process with the station. Upon failure to negotiate authentication, hostapd sends Deauthentication packets to the client with the same MAC address as the first two packets.
This behavior can be abused by an attacker to cause a valid station using 802.11w to be deauthenticated from the AP.
Timeline
2019-07-01 - Initial contact 2019-07-02 - Vendor acknowledged
2019-07-08 - Vendor disclosure; reports issued
2019-07-28 - Vendor confirmed does not trigger above 2.6 version
2019-11-10 - Vendor confirmed fix applied to main repository
2019-12-11 - Public Release
Related news
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]