Bug 1737665 (CVE-2019-13377)

Summary: CVE-2019-13377 wpa_supplicant: Timing-based side-channel attack against WPA3's Dragonfly handshake when using Brainpool curves
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bgalvani, blueowl, dcaratti, dcbw, john.j5live, linville, lkundrak, negativo17, rschiron, sukulkar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wpa_supplicant 2.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-11 18:45:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1737666, 1737667, 1737668    
Bug Blocks: 1740727    

Description Pedro Sampaio 2019-08-06 01:45:39 UTC 
Using Brainpool curves in WPA3's Dragonfly handshake introduces a side-channel leak, located in the password encoding algorithm of Dragonfly. This flaw allows an attacker to measure the timing differences and leak important information that can be used to bruteforce the Wi-Fi password.

References:
https://wpa3.mathyvanhoef.com/#new
Comment 1 Pedro Sampaio 2019-08-06 01:46:03 UTC 
Created hostapd tracking bugs for this issue:

Affects: epel-all [bug 1737668]
Affects: fedora-all [bug 1737667]


Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1737666]
Comment 2 Riccardo Schirone 2019-09-11 15:22:08 UTC 
Upstream references:
https://w1.fi/security/2019-6/
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt

Upstream patches:
https://w1.fi/cgit/hostap/commit/?id=8e14b030e558d23f65d761895c07089404e61cf1
https://w1.fi/cgit/hostap/commit/?id=7958223fdcfe82479e6ed71019a84f6d4cbf799c
https://w1.fi/cgit/hostap/commit/?id=1e237903f5b5d3117342daf006c5878cdb45e3d3
https://w1.fi/cgit/hostap/commit/?id=147bf7b88a9c231322b5b574263071ca6dbb0503
https://w1.fi/cgit/hostap/commit/?id=cd803299ca485eb857e37c88f973fccfbb8600e5
https://w1.fi/cgit/hostap/commit/?id=876c5eaa6dae1a87a17603fc489a44c29eedc2e3
Comment 3 Riccardo Schirone 2019-09-11 15:22:10 UTC 
External References:

https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt
Comment 4 Riccardo Schirone 2019-09-11 15:37:36 UTC 
Setting Attack Complexity (AC) to High because an attacker needs the password to be weak for the dictionary attack to succeed, which is not under the attacker control.
Comment 5 Riccardo Schirone 2019-09-11 16:13:18 UTC 
Statement:

This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for SAE (Simultaneous Authentication of Equals) nor for EAP-pwd.

This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 7 and 8 as they are not compiled with SAE (Simultaneous Authentication of Equals) nor with EAP-pwd enabled. In particular, the CONFIG_SAE=y and CONFIG_EAP_PWD=y options are not set at compile time.
Comment 6 Product Security DevOps Team 2019-09-11 18:45:33 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13377