Bug 1699149 (CVE-2019-9495)

Summary: CVE-2019-9495 wpa_supplicant: EAP-pwd cache side-channel attack
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bgalvani, blueowl, bmcclain, dblechte, dcaratti, dcbw, dfediuck, eedri, john.j5live, linville, lkundrak, mgoldboi, michal.skrivanek, negativo17, sbonazzo, sherold, sukulkar, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in wpa_supplicant. Side channel attacks were recently discovered in the SAE implementations used by both hostapd and wpa_supplicant. EAP-pwd uses a similar design for deriving PWE from the password and while a specific attack against EAP-pwd is not yet known to be tested, there is no reason to believe that the EAP-pwd implementation would be immune against the type of cache attack that was identified for the SAE implementation. Since the EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) does not support MODP groups, the timing attack described against SAE is not applicable for the EAP-pwd implementation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-22 15:05:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1699151, 1699152, 1699263    
Bug Blocks: 1687612    

Description Laura Pardo 2019-04-11 22:14:11 UTC
A number of potential side channel attacks were recently discovered in the SAE implementations used by both hostapd and wpa_supplicant (see CVE-2019-9494). EAP-pwd uses a similar design for deriving PWE from the password and while a specific attack against EAP-pwd is not yet known to be tested, there is no reason to believe that the EAP-pwd implementation would be immune against the type of cache attack that was identified for the SAE implementation. Since the EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) does not support MODP groups, the timing attack described against SAE is not applicable for the EAP-pwd implementation.


References:
https://wpa3.mathyvanhoef.com/
https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt


Upstream Patch:
https://w1.fi/cgit/hostap/commit/?id=d42c477cc794163a3757956bbffca5cea000923c
https://w1.fi/cgit/hostap/commit/?id=6e34f618d37ddbb5854c42e2ad4fca83492fa7b7
https://w1.fi/cgit/hostap/commit/?id=c93461c1d98f52681717a088776ab32fd97872b0
https://w1.fi/cgit/hostap/commit/?id=aaf65feac67c3993935634eefe5bc76b9fce03aa

Comment 1 Laura Pardo 2019-04-11 22:15:05 UTC
Created hostapd tracking bugs for this issue:

Affects: epel-all [bug 1699151]
Affects: fedora-all [bug 1699152]

Comment 3 Riccardo Schirone 2019-04-12 09:27:49 UTC
Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1699263]

Comment 4 Riccardo Schirone 2019-04-12 09:28:56 UTC
Statement:

This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6 as they did not include support for EAP-pwd.

This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 7 as they are not compiled with EAP-pwd enabled. In particular, the CONFIG_EAP_PWD=y option is not set at compile time.

Comment 6 Laura Pardo 2019-04-12 20:29:50 UTC
Acknowledgments:

Name: Mathy Vanhoef (NYUAD), Eyal Ronen (Tel Aviv University & KU Leuven)

Comment 8 Riccardo Schirone 2019-04-15 10:01:05 UTC
From the external reference: "The attacker could use information about the selected branch to learn information about the password and combine this information from number of handshake instances with an offline dictionary attack. With sufficient number of handshakes and sufficiently weak password, this might result in full recovery of the used password if that password is not strong enough to protect against dictionary attacks."

Comment 10 Fedora Update System 2019-04-23 18:49:15 UTC
hostapd-2.7-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2019-04-23 20:13:55 UTC
hostapd-2.7-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.