My Blog

WPA3 design issues and implementation vulnerabilities in hostapd and wpa_supplicant

Vulnerability Note VU#871675

Overview

Multiple vulnerabilities have been identified in WPA3 protocol design and implementations of hostapd and wpa_supplicant, which can allow a remote attacker to acquire a weak password, conduct a denial of service, or gain complete authorization. These vulnerabilities have also been referred to as Dragonblood.

Description

CERT continues to review the WPA3 protocol in support of this body of research. The root cause of the numerous « implementation » vulnerabilities may involve modifying the protocol.

WPA3 uses Simultaneous Authentication of Equals (SAE), also known as Dragonfly Key Exchange, as the initial key exchange protocol, replacing WPA2’s Pre-Shared Key (PSK) protocol. hostapd is a daemon for access point and authentication servers used by WPA3 authentication. wpa_supplicant is a wireless supplicant that implements key negotiation with the WPA Authenticator and supports WPA3. Both of these components, as implemented with Extensible Authentication Protocol Password (EAP-PWD )and SAE, are vulnerable as follows:

CVE-2019-9494: SAE cache attack against ECC groups (SAE side-channel attacks) – CWE-208 and CWE-524
The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns.

CVE-2019-9495: EAP-PWD cache attack against ECC groups (EAP-PWD side-channel attack) – CWE-524
The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable.

CVE-2019-9496: SAE confirm missing state validation – CWE-642
An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable.

CVE-2019-9497: EAP-PWD reflection attack (EAP-PWD missing commit validation) – CWE-301
The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit.

CVE-2019-9498: EAP-PWD server missing commit validation for scalar/element – CWE-346
The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit.

CVE-2019-9499: EAP-PWD peer missing commit validation for scalar/element – CWE-346
The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit.

Impact

CVE-2019-9494: SAE cache attack against ECC groups (SAE side-channel attacks) – CWE-208 and CWE-524
An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery.

CVE-2019-9495: EAP-PWD cache attack against ECC groups (EAP-PWD side-channel attack) – CWE-524
The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494.

CVE-2019-9496: SAE confirm missing state validation – CWE-642
An attacker may force the hostapd process to terminate, performing a denial of service attack.

CVE-2019-9497: EAP-PWD reflection attack (EAP-PWD missing commit validation) – CWE-301
This vulnerability may allow an attacker to complete EAP-PWD authentication without knowing the password. However, unless the crypto library does not implement additional checks for the EC point, the attacker will not be able to derive the session key or complete the key exchange.

CVE-2019-9498: EAP-PWD server missing commit validation for scalar/element – CWE-346
An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password.

CVE-2019-9499: EAP-PWD peer missing commit validation for scalar/element – CWE-346
An attacker may complete authentication, session key and control of the data connection with a client.

Solution

Upgrade wpa_supplicant and hostapd to version 2.8, when available. Additional mitigation options are listed below.
Check your vendor for mitigation information.

Mitigations are available for
CVE-2019-9494 https://w1.fi/security/2019-1/
CVE-2019-9495 https://w1.fi/security/2019-2/
CVE-2019-9496 https://w1.fi/security/2019-3/
CVE-2019-9497 https://w1.fi/security/2019-4/
CVE-2019-9498 https://w1.fi/security/2019-4/
CVE-2019-9499 https://w1.fi/security/2019-4/

 

my-tracker_cpteWPA3 design issues and implementation vulnerabilities in hostapd and wpa_supplicant