Possible security hole when attacker connects with wrong WPA/RSN IE

Jouni Malinen j at w1.fi
Wed Nov 11 10:38:10 EST 2009


On Tue, Nov 03, 2009 at 07:53:47PM +0200, Andriy Tkachuk wrote:

> It looks like hostapd allows (for example, when working with madwifi,  
> atheros or bsd driver wrappers) for clients to stay connected infinitely  
> when they connected with wrong WPA/RSN IE, while Host AP driver will  
> fail association for such clients. In worse case, when vendors don't  
> implement EAPoL frames filtering before 4-way handshake completes and  
> keys are set, an attacker may stay connected and use AP resources in  
> Open mode. In less worse case the AP could be open for DoS attack.
>
> The solution seems to be straightforward - just disconnect such clients  
> either from driver wrappers, or maybe even better - from  
> hostapd_notif_assoc() routine, for example, like in attached patch.

Thanks, applied (with build fixes). I don't think this by itself would
be much of a security issue. If the driver does not provide IEEE 802.1X
controlled port like filtering of non-EAPOL frames prior to key setup,
it is seriously broken regardless of this change. A DoS attack is still
possible even with this change (though, with potentially more frequent
association request frame transmission needed). Anyway, it is cleaner to
clear the driver state immediately, so this change sounds reasonable in
general.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list