Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 16 Jan 2022 23:22:57 +0200
From: Jouni Malinen <j@...fi>
To: oss-security@...ts.openwall.com
Subject: wpa_supplicant/hostapd: SAE/EAP-pwd side-channel attack update 2

Published: January 16, 2022
Latest version available from: https://w1.fi/security/2022-1/

This is an update on earlier security advisories 2019-1 and
2019-2. Please see those advisories for more details in the issues.
https://w1.fi/security/2019-1/
https://w1.fi/security/2019-2/

Vulnerability

hostapd and wpa_supplicant security advisories 2019-1 and 2019-2
addressed side-channel attacks related to SAE and EAP-pwd. The
improvements identified in those advisories made it more difficult to
observe external differences in timing or memory access to mitigate
against this type of attacks. However, the identified changes did not
remove all differences. The external crypto library functions used to
implement crypto_ec_point_solve_y_coord() might not use a constant time
design and as such, might enable some side-channel channel attacks.

In particular, a potential new cache-based attack has been described
that could allow an attacker that is able to run unprivileged code on
the same processor might be able to gain enough information from the
SAE/EAP-pwd operations to be able to perform an offline dictionary attack
that could work against sufficiently weak passwords.


Vulnerable versions/configurations

All wpa_supplicant and hostapd versions with SAE support (CONFIG_SAE=y
in the build configuration and in the runtime configuration).

All wpa_supplicant and hostapd versions with EAP-pwd support
(CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
in the runtime configuration).


Acknowledgments

Thanks to Daniel De Almeida Braga, Mohamed Sabt, and Pierre-Alain Fouque
(all affiliated to the University of Rennes 1, IRISA, France) for
discovering and reporting the issue.


Possible mitigation steps

- Update to wpa_supplicant/hostapd v2.10 or newer

- Merge the following commits to wpa_supplicant/hostapd v2.9 and
  rebuild:
  crypto: Add more bignum/EC helper functions
  dragonfly: Add sqrt() helper function
  SAE: Derive the y coordinate for PWE with own implementation
  EAP-pwd: Derive the y coordinate for PWE with own implementation

  These patches are available from https://w1.fi/security/2022-1/

-- 
Jouni Malinen                                            PGP id EFC895FA

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.