W1.fi hostapd CAM table denial-of-service vulnerability

Summary

An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby Aps of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability

Tested Versions

hostapd version 2.6 Ubiquiti AP-AC-Pro firmware 4.0.10.9653

Product URLs

<https://w1.fi/hostapd/&gt;

CVSSv3 Score

7.4 - AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-440 - Expected Behavior Violation

Details

When hostapd is compiled with default configurations the IAPP protocol is enabled. The IAPP protocol sends a broadcast packet to the LAN with the MAC address of the station.

Upon receipt of an Authentication and AssociationRequest packet, hostapd will send a broadcast packet with the MAC address of the connecting station to the LAN. This packet is sent before the station has successfully authenticated. An attacker could iterate through a large set of unique MAC addresses to trigger DoS attacks within the upstream network infrastructure.

Timeline

2019-07-01 - Vendor Disclosure
2019-07-28 - Vendor acknowledged and provided comments for review to the advisory
2019-09-10 - Talos updated security advisory;Related Linux kernel issue discovered (CVE-2019-5108); 90 day timeline reset per Talos
2019-11-10 - Vendor confirmed fix applied to main repository
2019-12-11 - Public Release