W1.fi hostapd deauthentication denial-of-service vulnerability

Summary

An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.

Tested Versions

hostapd version 2.6 on a Raspberry Pi.

Product URLs

<https://w1.fi/hostapd/&gt;

CVSSv3 Score

7.4 - AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-440 - Expected Behavior Violation

Details

When hostapd receives an Authentication and an AssociationRequest packet, it begins the handshake process with the station. Upon failure to negotiate authentication, hostapd sends Deauthentication packets to the client with the same MAC address as the first two packets.

This behavior can be abused by an attacker to cause a valid station using 802.11w to be deauthenticated from the AP.

Timeline

2019-07-01 - Initial contact 2019-07-02 - Vendor acknowledged
2019-07-08 - Vendor disclosure; reports issued
2019-07-28 - Vendor confirmed does not trigger above 2.6 version
2019-11-10 - Vendor confirmed fix applied to main repository
2019-12-11 - Public Release