From 3e9f3a3ebd8c2925f28efa91cafa56948ecab021 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 25 Apr 2020 14:35:20 +0200 Subject: [PATCH] hostapd: apply patch for CVE-2019-16275 AP mode PMF disconnection protection bypass Published: September 11, 2019 Identifiers: - CVE-2019-16275 Latest version available from: https://w1.fi/security/2019-7/ Vulnerability hostapd (and wpa_supplicant when controlling AP mode) did not perform sufficient source address validation for some received Management frames and this could result in ending up sending a frame that caused associated stations to incorrectly believe they were disconnected from the network even if management frame protection (also known as PMF) was negotiated for the association. This could be considered to be a denial of service vulnerability since PMF is supposed to protect from this type of issues. It should be noted that if PMF is not enabled, there would be no protocol level protection against this type of denial service attacks. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. Vulnerable versions/configurations All hostapd and wpa_supplicants versions with PMF support (CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with PMF being enabled (optional or required). In addition, this would be applicable only when using user space based MLME/SME in AP mode, i.e., when hostapd (or wpa_supplicant when controlling AP mode) would process authentication and association management frames. This condition would be applicable mainly with drivers that use mac80211. Possible mitigation steps - Merge the following commit to wpa_supplicant/hostapd and rebuild: AP: Silently ignore management frame from unexpected source address This patch is available from https://w1.fi/security/2019-7/ - Update to wpa_supplicant/hostapd v2.10 or newer, once available --- pkgs/os-specific/linux/hostapd/default.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/hostapd/default.nix b/pkgs/os-specific/linux/hostapd/default.nix index 869a394cefb..8152655d457 100644 --- a/pkgs/os-specific/linux/hostapd/default.nix +++ b/pkgs/os-specific/linux/hostapd/default.nix @@ -17,7 +17,13 @@ stdenv.mkDerivation rec { # Note: fetchurl seems to be unhappy with openwrt git # server's URLs containing semicolons. Using the github mirror instead. url = "https://raw.githubusercontent.com/openwrt/openwrt/master/package/network/services/hostapd/patches/300-noscan.patch"; - sha256 = "04wg4yjc19wmwk6gia067z99gzzk9jacnwxh5wyia7k5wg71yj5k";}) + sha256 = "04wg4yjc19wmwk6gia067z99gzzk9jacnwxh5wyia7k5wg71yj5k"; + }) + (fetchurl { + name = "CVE-2019-16275.patch"; + url = "https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch"; + sha256 = "15xjyy7crb557wxpx898b5lnyblxghlij0xby5lmj9hpwwss34dz"; + }) ]; outputs = [ "out" "man" ];