Bug 1737665 (CVE-2019-13377)

Summary: CVE-2019-13377 wpa_supplicant: Timing-based side-channel attack against WPA3's Dragonfly handshake when using Brainpool curves
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bgalvani, blueowl, dcaratti, dcbw, john.j5live, linville, lkundrak, negativo17, rschiron, sukulkar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: wpa_supplicant 2.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-11 18:45:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1737666, 1737667, 1737668    
Bug Blocks: 1740727    

Description Pedro Sampaio 2019-08-06 01:45:39 UTC
Using Brainpool curves in WPA3's Dragonfly handshake introduces a side-channel leak, located in the password encoding algorithm of Dragonfly. This flaw allows an attacker to measure the timing differences and leak important information that can be used to bruteforce the Wi-Fi password.


Comment 1 Pedro Sampaio 2019-08-06 01:46:03 UTC
Created hostapd tracking bugs for this issue:

Affects: epel-all [bug 1737668]
Affects: fedora-all [bug 1737667]

Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1737666]

Comment 3 Riccardo Schirone 2019-09-11 15:22:10 UTC
External References:


Comment 4 Riccardo Schirone 2019-09-11 15:37:36 UTC
Setting Attack Complexity (AC) to High because an attacker needs the password to be weak for the dictionary attack to succeed, which is not under the attacker control.

Comment 5 Riccardo Schirone 2019-09-11 16:13:18 UTC

This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for SAE (Simultaneous Authentication of Equals) nor for EAP-pwd.

This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 7 and 8 as they are not compiled with SAE (Simultaneous Authentication of Equals) nor with EAP-pwd enabled. In particular, the CONFIG_SAE=y and CONFIG_EAP_PWD=y options are not set at compile time.

Comment 6 Product Security DevOps Team 2019-09-11 18:45:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):