Bug 1699149 (CVE-2019-9495)
| Summary: | CVE-2019-9495 wpa_supplicant: EAP-pwd cache side-channel attack | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | arachman, bgalvani, blueowl, bmcclain, dblechte, dcaratti, dcbw, dfediuck, eedri, john.j5live, linville, lkundrak, lveyde, mgoldboi, michal.skrivanek, mperina, negativo17, nobody, sbonazzo, sherold, sukulkar, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in wpa_supplicant. Side channel attacks were recently discovered in the SAE implementations used by both hostapd and wpa_supplicant. EAP-pwd uses a similar design for deriving PWE from the password and while a specific attack against EAP-pwd is not yet known to be tested, there is no reason to believe that the EAP-pwd implementation would be immune against the type of cache attack that was identified for the SAE implementation. Since the EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) does not support MODP groups, the timing attack described against SAE is not applicable for the EAP-pwd implementation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-05-22 15:05:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1699151, 1699152, 1699263 | ||
| Bug Blocks: | 1687612 | ||
|
Description
Laura Pardo
2019-04-11 22:14:11 UTC
Created hostapd tracking bugs for this issue: Affects: epel-all [bug 1699151] Affects: fedora-all [bug 1699152] Created wpa_supplicant tracking bugs for this issue: Affects: fedora-all [bug 1699263] Statement: This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6 as they did not include support for EAP-pwd. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 7 as they are not compiled with EAP-pwd enabled. In particular, the CONFIG_EAP_PWD=y option is not set at compile time. Acknowledgments: Name: Mathy Vanhoef (NYUAD), Eyal Ronen (Tel Aviv University & KU Leuven) External References: https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt https://www.kb.cert.org/vuls/id/871675/ From the external reference: "The attacker could use information about the selected branch to learn information about the password and combine this information from number of handshake instances with an offline dictionary attack. With sufficient number of handshakes and sufficiently weak password, this might result in full recovery of the used password if that password is not strong enough to protect against dictionary attacks." hostapd-2.7-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. hostapd-2.7-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |