search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

WPA3 design issues and implementation vulnerabilities in hostapd and wpa_supplicant

Vulnerability Note VU#871675

Original Release Date: 2019-04-12 | Last Revised: 2019-06-05

Overview

Multiple vulnerabilities have been identified in WPA3 protocol design and implementations of hostapd and wpa_supplicant, which can allow a remote attacker to acquire a weak password, conduct a denial of service, or gain complete authorization. These vulnerabilities have also been referred to as Dragonblood.

Description

CERT continues to review the WPA3 protocol in support of this body of research. The root cause of the numerous "implementation" vulnerabilities may involve modifying the protocol.

WPA3 uses Simultaneous Authentication of Equals (SAE), also known as Dragonfly Key Exchange, as the initial key exchange protocol, replacing WPA2's Pre-Shared Key (PSK) protocol. hostapd is a daemon for access point and authentication servers used by WPA3 authentication. wpa_supplicant is a wireless supplicant that implements key negotiation with the WPA Authenticator and supports WPA3. Both of these components, as implemented with Extensible Authentication Protocol Password (EAP-PWD) and SAE, are vulnerable as follows:

CVE-2019-9494: SAE cache attack against ECC groups (SAE side-channel attacks) - CWE-208 and CWE-524
The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns.

CVE-2019-9495: EAP-PWD cache attack against ECC groups (EAP-PWD side-channel attack) - CWE-524
The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of cache access patterns. Versions of hostapd and wpa_supplicant versions 2.7 and earlier, with EAP-PWD support are vulnerable.

CVE-2019-9496: SAE confirm missing state validation - CWE-642
An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable.

CVE-2019-9497: EAP-PWD reflection attack (EAP-PWD missing commit validation) - CWE-301
The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit.

CVE-2019-9498: EAP-PWD server missing commit validation for scalar/element - CWE-346
The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit.

CVE-2019-9499: EAP-PWD peer missing commit validation for scalar/element - CWE-346
The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit.

Impact

CVE-2019-9494: SAE cache attack against ECC groups (SAE side-channel attacks) - CWE-208 and CWE-524
An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery.

CVE-2019-9495: EAP-PWD cache attack against ECC groups (EAP-PWD side-channel attack) - CWE-524
The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494.

CVE-2019-9496: SAE confirm missing state validation - CWE-642
An attacker may force the hostapd process to terminate, performing a denial of service attack.

CVE-2019-9497: EAP-PWD reflection attack (EAP-PWD missing commit validation) - CWE-301
This vulnerability may allow an attacker to complete EAP-PWD authentication without knowing the password. However, unless the crypto library does not implement additional checks for the EC point, the attacker will not be able to derive the session key or complete the key exchange.

CVE-2019-9498: EAP-PWD server missing commit validation for scalar/element - CWE-346
An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password.

CVE-2019-9499: EAP-PWD peer missing commit validation for scalar/element - CWE-346
An attacker may complete authentication, session key and control of the data connection with a client.

Solution

Upgrade wpa_supplicant and hostapd to version 2.8, when available. Additional mitigation options are listed below.

Check your vendor for mitigation information.

Mitigations are available for
CVE-2019-9494 https://w1.fi/security/2019-1/
CVE-2019-9495 https://w1.fi/security/2019-2/
CVE-2019-9496 https://w1.fi/security/2019-3/
CVE-2019-9497 https://w1.fi/security/2019-4/
CVE-2019-9498 https://w1.fi/security/2019-4/
CVE-2019-9499 https://w1.fi/security/2019-4/

Vendor Information

871675
 
Expand all

View all 224 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 7 AV:A/AC:M/Au:S/C:C/I:C/A:P
Temporal 7 E:ND/RL:ND/RC:C
Environmental 7.0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven) for reporting this vulnerability; Jouni Malinen for patches, and Kevin Robinson for support from Wi-Fi Alliance.

This document was written by Laurie Tyzenhaus and Madison Oliver.

Other Information

CVE IDs: CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499
Date Public: 2019-04-10
Date First Published: 2019-04-12
Date Last Updated: 2019-06-05 21:33 UTC
Document Revision: 86

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis