CVE-2019-16275

Vulnerability

Hostapd before version 2.10 and wpa_supplicant before version 2.10 (when controlling AP mode) do not perform sufficient source address validation for certain received Management frames [2]. This flaw can lead the access point to send a frame that causes associated stations to incorrectly believe they have been disconnected from the network, even when Management Frame Protection (PMF) was negotiated for the association [2]. The vulnerability is therefore a bypass of the denial-of-service protection that PMF is designed to provide [2].

Exploitation

An attacker must be within radio range of the access point and send a specially crafted 802.11 frame [2]. No authentication or prior association is required; the attack works against any station that has associated with PMF enabled. By sending a crafted management frame (likely a deauthentication or disassociation frame with a spoofed source address), the attacker triggers the access point to transmit a frame that misleads the client into thinking it has been disconnected [1][2].

Impact

A successful attack causes the target station(s) to disconnect from the network, requiring re-association and re-authentication. This constitutes a denial of service (DoS) [2][3][4]. Although the association used PMF, the protection mechanism is bypassed, so the attacker can force disconnections despite management frame protection being active [1][2]. If PMF is not enabled, the network is already vulnerable to such spoofing attacks [2].

Mitigation

Update to hostapd version 2.10 or later, and wpa_supplicant version 2.10 or later (released on 2019-09-11) [2]. Ubuntu provided updates in USN-4136-1 (for Ubuntu 16.04 LTS, 18.04 LTS, 18.10, 19.04) and USN-4136-2 (for Ubuntu 12.04 ESM and 14.04 ESM) [3][4]. No workaround is available if the fixed version cannot be applied; users are advised to upgrade immediately [1].