hostapd: fix SAE H2E security vulnerability
authorRany Hany <rany_hany@riseup.net>
Wed, 31 Jul 2024 17:16:55 +0000 (17:16 +0000)
committerRISCi_ATOM <bob@bobcall.me>
Thu, 8 Aug 2024 20:10:03 +0000 (16:10 -0400)
commita335d45dd5937b76240b7228e735a6aa9e3b069f
tree745fa86f526802f95fd7a1b0e38019f680d4a9e8
parent447aca599c85ca1c6848e32156d14157634c77ab
hostapd: fix SAE H2E security vulnerability

This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.

As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].

An explanation of the impact of the vulnerability is provided from the
advisory[1]:

This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.

[1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt

Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/16043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit db7f70fe6140e99ae709c7bf2a25eb983cb725ed)
package/network/services/hostapd/Makefile
package/network/services/hostapd/patches/800-SAE-Check-for-invalid-Rejected-Groups-element-length.patch [new file with mode: 0644]
package/network/services/hostapd/patches/801-SAE-Check-for-invalid-Rejected-Groups-element-length.patch [new file with mode: 0644]
package/network/services/hostapd/patches/802-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch [new file with mode: 0644]