CVE-2019-9496

Name of the Vulnerable Software and Affected Versions hostapd versions with SAE support wpa supplicant versions prior to and including 2.7

Description The issue is related to an invalid authentication sequence that could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message. This can be exploited by an attacker to force the hostapd process to terminate, resulting in a denial of service attack. The problem is associated with the implementation of the SAE function in wpa supplicant for WPA wireless communication device certification, which is linked to incorrect authentication sequences.

Recommendations For hostapd with SAE support, consider disabling SAE support as a temporary workaround until a patch is available. For wpa supplicant versions prior to and including 2.7, update to a version later than 2.7 to resolve the issue. As a temporary mitigation measure for wpa supplicant, restrict the use of SAE functionality until an update can be applied.