hostapd: UPnP SUBSCRIBE misbehavior in hostapd WPS AP (CVE-2020-12695)

General security vulnerability in the way the callback URLs in the UPnP SUBSCRIBE command are used were reported (VU#339275, CVE-2020-12695). Some of the described issues may be applicable to the use of UPnP in WPS AP mode functionality for supporting external registrars.

Vulnerable Versions:

All hostapd versions with WPS AP support with UPnP enabled in the build parameters (CONFIG_WPS_UPNP=y) and in the runtime configuration (upnp_iface).

References:

https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt

Patches:

https://w1.fi/security/2020-1/

Affected branches:

Edited Jun 10, 2020 by Leo

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information