An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.
hostapd version 2.6 on a Raspberry Pi.
7.4 - AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE-440 - Expected Behavior Violation
When hostapd receives an Authentication and an AssociationRequest packet, it begins the handshake process with the station. Upon failure to negotiate authentication, hostapd sends Deauthentication packets to the client with the same MAC address as the first two packets.
This behavior can be abused by an attacker to cause a valid station using 802.11w to be deauthenticated from the AP.
2019-07-01 - Initial contact
2019-07-02 - Vendor acknowledged
2019-07-08 - Vendor disclosure; reports issued
2019-07-28 - Vendor confirmed does not trigger above 2.6 version
2019-11-10 - Vendor confirmed fix applied to main repository
2019-12-11 - Public Release
Discovered by Mitchell Frank and Mark Leonard of Cisco