1699149 – (CVE-2019-9495) CVE-2019-9495 wpa_supplicant: EAP-pwd cache side-channel attack

Bug 1699149 (CVE-2019-9495) - CVE-2019-9495 wpa_supplicant: EAP-pwd cache side-channel attack

Summary: CVE-2019-9495 wpa_supplicant: EAP-pwd cache side-channel attack

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2019-9495
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1699151 1699152 1699263
Blocks:	1687612
TreeView+	depends on / blocked

Reported:	2019-04-11 22:14 UTC by Laura Pardo
Modified:	2021-02-16 22:06 UTC (History)
CC List:	18 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in wpa_supplicant. Side channel attacks were recently discovered in the SAE implementations used by both hostapd and wpa_supplicant. EAP-pwd uses a similar design for deriving PWE from the password and while a specific attack against EAP-pwd is not yet known to be tested, there is no reason to believe that the EAP-pwd implementation would be immune against the type of cache attack that was identified for the SAE implementation. Since the EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) does not support MODP groups, the timing attack described against SAE is not applicable for the EAP-pwd implementation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2019-05-22 15:05:24 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2019-04-11 22:14:11 UTC

A number of potential side channel attacks were recently discovered in the SAE implementations used by both hostapd and wpa_supplicant (see CVE-2019-9494). EAP-pwd uses a similar design for deriving PWE from the password and while a specific attack against EAP-pwd is not yet known to be tested, there is no reason to believe that the EAP-pwd implementation would be immune against the type of cache attack that was identified for the SAE implementation. Since the EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) does not support MODP groups, the timing attack described against SAE is not applicable for the EAP-pwd implementation.


References:
https://wpa3.mathyvanhoef.com/
https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt


Upstream Patch:
https://w1.fi/cgit/hostap/commit/?id=d42c477cc794163a3757956bbffca5cea000923c
https://w1.fi/cgit/hostap/commit/?id=6e34f618d37ddbb5854c42e2ad4fca83492fa7b7
https://w1.fi/cgit/hostap/commit/?id=c93461c1d98f52681717a088776ab32fd97872b0
https://w1.fi/cgit/hostap/commit/?id=aaf65feac67c3993935634eefe5bc76b9fce03aa

Comment 1 Laura Pardo 2019-04-11 22:15:05 UTC

Created hostapd tracking bugs for this issue:

Affects: epel-all [bug 1699151]
Affects: fedora-all [bug 1699152]

Comment 3 Riccardo Schirone 2019-04-12 09:27:49 UTC

Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 1699263]

Comment 4 Riccardo Schirone 2019-04-12 09:28:56 UTC

Statement:

This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6 as they did not include support for EAP-pwd.

This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 7 as they are not compiled with EAP-pwd enabled. In particular, the CONFIG_EAP_PWD=y option is not set at compile time.

Comment 6 Laura Pardo 2019-04-12 20:29:50 UTC

Acknowledgments:

Name: Mathy Vanhoef (NYUAD), Eyal Ronen (Tel Aviv University & KU Leuven)

Comment 7 Laura Pardo 2019-04-12 20:29:53 UTC

External References:

https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt
https://www.kb.cert.org/vuls/id/871675/

Comment 8 Riccardo Schirone 2019-04-15 10:01:05 UTC

From the external reference: "The attacker could use information about the selected branch to learn information about the password and combine this information from number of handshake instances with an offline dictionary attack. With sufficient number of handshakes and sufficiently weak password, this might result in full recovery of the used password if that password is not strong enough to protect against dictionary attacks."

Comment 10 Fedora Update System 2019-04-23 18:49:15 UTC

hostapd-2.7-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2019-04-23 20:13:55 UTC

hostapd-2.7-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.