Possible security hole when attacker connects with wrong WPA/RSN IE

Andriy Tkachuk andriy.v.tkachuk
Tue Nov 3 09:53:47 PST 2009

Hello Jouni and folks.

It looks like hostapd allows (for example, when working with madwifi, 
atheros or bsd driver wrappers) for clients to stay connected infinitely 
when they connected with wrong WPA/RSN IE, while Host AP driver will 
fail association for such clients. In worse case, when vendors don't 
implement EAPoL frames filtering before 4-way handshake completes and 
keys are set, an attacker may stay connected and use AP resources in 
Open mode. In less worse case the AP could be open for DoS attack.

The solution seems to be straightforward - just disconnect such clients 
either from driver wrappers, or maybe even better - from 
hostapd_notif_assoc() routine, for example, like in attached patch.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hostapd-handle-weird-wpa_ie.patch
Url: http://lists.shmoo.com/pipermail/hostap/attachments/20091103/ab76b497/attachment.txt 

More information about the Hostap mailing list