Possible security hole when attacker connects with wrong WPA/RSN IE
andriy.v.tkachuk at globallogic.com
Tue Nov 3 13:01:27 EST 2009
Sorry, but in prev. patch *_STATUS_* should be changed to *_REASON_*.
Fixed patch attached.
On 2009-11-03 19:53, Andriy Tkachuk wrote:
> Hello Jouni and folks.
> It looks like hostapd allows (for example, when working with madwifi,
> atheros or bsd driver wrappers) for clients to stay connected
> infinitely when they connected with wrong WPA/RSN IE, while Host AP
> driver will fail association for such clients. In worse case, when
> vendors don't implement EAPoL frames filtering before 4-way handshake
> completes and keys are set, an attacker may stay connected and use AP
> resources in Open mode. In less worse case the AP could be open for
> DoS attack.
> The solution seems to be straightforward - just disconnect such
> clients either from driver wrappers, or maybe even better - from
> hostapd_notif_assoc() routine, for example, like in attached patch.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the HostAP