A number of potential side channel attacks were recently discovered in the SAE implementations used by both hostapd and wpa_supplicant (see CVE-2019-9494). EAP-pwd uses a similar design for deriving PWE from the password and while a specific attack against EAP-pwd is not yet known to be tested, there is no reason to believe that the EAP-pwd implementation would be immune against the type of cache attack that was identified for the SAE implementation. Since the EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) does not support MODP groups, the timing attack described against SAE is not applicable for the EAP-pwd implementation. References: https://wpa3.mathyvanhoef.com/ https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt Upstream Patch: https://w1.fi/cgit/hostap/commit/?id=d42c477cc794163a3757956bbffca5cea000923c https://w1.fi/cgit/hostap/commit/?id=6e34f618d37ddbb5854c42e2ad4fca83492fa7b7 https://w1.fi/cgit/hostap/commit/?id=c93461c1d98f52681717a088776ab32fd97872b0 https://w1.fi/cgit/hostap/commit/?id=aaf65feac67c3993935634eefe5bc76b9fce03aa
Created hostapd tracking bugs for this issue: Affects: epel-all [bug 1699151] Affects: fedora-all [bug 1699152]
Created wpa_supplicant tracking bugs for this issue: Affects: fedora-all [bug 1699263]
Statement: This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6 as they did not include support for EAP-pwd. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 7 as they are not compiled with EAP-pwd enabled. In particular, the CONFIG_EAP_PWD=y option is not set at compile time.
Acknowledgments: Name: Mathy Vanhoef (NYUAD), Eyal Ronen (Tel Aviv University & KU Leuven)
External References: https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt https://www.kb.cert.org/vuls/id/871675/
From the external reference: "The attacker could use information about the selected branch to learn information about the password and combine this information from number of handshake instances with an offline dictionary attack. With sufficient number of handshakes and sufficiently weak password, this might result in full recovery of the used password if that password is not strong enough to protect against dictionary attacks."
hostapd-2.7-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
hostapd-2.7-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.