hostapd: SAE confirm missing state validation in hostapd/AP (CVE-2019-9496)
An invalid authentication sequence could result in the hostapd process
terminating due to missing state validation steps when
processing the SAE confirm message when in hostapd/AP mode. All version
of hostapd with SAE support are vulnerable.
Update to hostapd v2.8 or newer, once available.
References:
https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
https://www.kb.cert.org/vuls/id/871675/
Patch:
https://w1.fi/cgit/hostap/commit/?id=ac8fa9ef198640086cf2ce7c94673be2b6a018a0
(from redmine: issue id 10331, created on 2019-04-25, closed on 2019-06-20)
- Relations:
- child #10332 (closed)
- child #10333 (closed)
- child #10334 (closed)
- child #10335 (closed)
- child #10336 (closed)