An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps

Vulnerability

CVE-2019-9496 is a denial-of-service vulnerability in the Simultaneous Authentication of Equals (SAE) handshake implementation of hostapd (AP mode) and wpa_supplicant. The bug resides in the processing of the SAE confirm message: missing state validation steps allow an invalid authentication sequence to trigger a termination of the hostapd process. All versions of hostapd with SAE support are affected, as are versions of wpa_supplicant with SAE support prior to and including version 2.7 [1][2].

Exploitation

An attacker does not need any prior authentication or special privileges. The attacker must be within wireless range of the target access point running hostapd. By sending a crafted SAE confirm message that violates the expected authentication sequence, the attacker can force the hostapd process to terminate immediately, causing a denial of service [1][2].

Impact

Successful exploitation results in the termination of the hostapd process, rendering the access point unavailable. This is a denial-of-service (DoS) condition that disrupts wireless connectivity for all clients until the service is manually restarted or the device is rebooted. No data confidentiality or integrity is compromised directly, but network availability is lost [1][2].

Mitigation

A fix is available in hostapd and wpa_supplicant version 2.8 and later. For Synology SRM, upgrade to SRM 1.2.3-8017 or above [1]. FreeBSD users should update to a supported release containing the patch (e.g., 12.0-RELEASE-p4 or 11.2-RELEASE-p10) [2]. No workaround exists other than disabling SAE support or upgrading to a patched version [2].