OpenWRT firmware for routers
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
Go to file
Stefan Lippers-Hollmann 8f17c019a1 hostapd: fix CVE-2019-9497, CVE-2019-9498, CVE-2019-9499
EAP-pwd missing commit validation

Published: April 10, 2019
Identifiers:
- CVE-2019-9497 (EAP-pwd server not checking for reflection attack)
- CVE-2019-9498 (EAP-pwd server missing commit validation for
  scalar/element)
- CVE-2019-9499 (EAP-pwd peer missing commit validation for
  scalar/element)

Latest version available from: https://w1.fi/security/2019-4/

Vulnerability

EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP
peer) was discovered not to validate the received scalar and element
values in EAP-pwd-Commit messages properly. This could result in attacks
that would be able to complete EAP-pwd authentication exchange without
the attacker having to know the used password.

A reflection attack is possible against the EAP-pwd server since the
hostapd EAP server did not verify that the EAP-pwd-Commit contains
scalar/element values that differ from the ones the server sent out
itself. This allows the attacker to complete EAP-pwd authentication
without knowing the password, but this does not result in the attacker
being able to derive the session key (MSK), i.e., the attacker would not
be able to complete the following key exchange (e.g., 4-way handshake in
RSN/WPA).

An attack using invalid scalar/element values is possible against both
the EAP-pwd server and peer since hostapd and wpa_supplicant did not
validate these values in the received EAP-pwd-Commit messages. If the
used crypto library does not implement additional checks for the element
(EC point), this could result in attacks where the attacker could use a
specially crafted commit message values to manipulate the exchange to
result in deriving a session key value from a very small set of possible
values. This could further be used to attack the EAP-pwd server in a
practical manner. An attack against the EAP-pwd peer is slightly more
complex, but still consider practical. These invalid scalar/element
attacks could result in the attacker being able to complete
authentication and learn the session key and MSK to allow the key
exchange to be completed as well, i.e., the attacker gaining access to
the network in case of the attack against the EAP server or the attacker
being able to operate a rogue AP in case of the attack against the EAP
peer.

While similar attacks might be applicable against SAE, it should be
noted that the SAE implementation in hostapd and wpa_supplicant does
have the validation steps that were missing from the EAP-pwd
implementation and as such, these attacks do not apply to the current
SAE implementation. Old versions of wpa_supplicant/hostapd did not
include the reflection attack check in the SAE implementation, though,
since that was added in June 2015 for v2.5 (commit 6a58444d27fd 'SAE:
Verify that own/peer commit-scalar and COMMIT-ELEMENT are different').

Vulnerable versions/configurations

All hostapd versions with EAP-pwd support (CONFIG_EAP_PWD=y in the build
configuration and EAP-pwd being enabled in the runtime configuration)
are vulnerable against the reflection attack.

All wpa_supplicant and hostapd versions with EAP-pwd support
(CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
in the runtime configuration) are vulnerable against the invalid
scalar/element attack when built against a crypto library that does not
have an explicit validation step on imported EC points. The following
list indicates which cases are vulnerable/not vulnerable:
- OpenSSL v1.0.2 or older: vulnerable
- OpenSSL v1.1.0 or newer: not vulnerable
- BoringSSL with commit 38feb990a183 ('Require that EC points are on the
  curve.') from September 2015: not vulnerable
- BoringSSL without commit 38feb990a183: vulnerable
- LibreSSL: vulnerable
- wolfssl: vulnerable

Acknowledgments

Thanks to Mathy Vanhoef (New York University Abu Dhabi) for discovering
and reporting the issues and for proposing changes to address them in
the implementation.

Possible mitigation steps

- Merge the following commits to wpa_supplicant/hostapd and rebuild:

  CVE-2019-9497:
  EAP-pwd server: Detect reflection attacks

  CVE-2019-9498:
  EAP-pwd server: Verify received scalar and element
  EAP-pwd: Check element x,y coordinates explicitly

  CVE-2019-9499:
  EAP-pwd client: Verify received scalar and element
  EAP-pwd: Check element x,y coordinates explicitly

  These patches are available from https://w1.fi/security/2019-4/

- Update to wpa_supplicant/hostapd v2.8 or newer, once available

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
5 years ago
.github build: Update README & github help 6 years ago
config mvebu: make bootfs size for sdcard image configurable 5 years ago
include kernel: bump 4.19 to 4.19.34 5 years ago
package hostapd: fix CVE-2019-9497, CVE-2019-9498, CVE-2019-9499 5 years ago
scripts scripts/qemustart: Allow specifying custom rootfs for malta 5 years ago
target imx6: bump sdma firmware to 3.4 5 years ago
toolchain glibc: update to latest 2.27 commit [BZ #22964] 5 years ago
tools tools: cbootimage: depend on automake 5 years ago
.gitattributes add .gitattributes to prevent the git autocrlf option from messing with CRLF/LF in files 12 years ago
.gitignore .gitignore: add .project & .cproject for eclipse users 6 years ago
BSDmakefile add missing copyright header 17 years ago
Config.in merge: base: update base-files and basic config 7 years ago
LICENSE finally move buildroot-ng to trunk 8 years ago
Makefile build: Unset CDPATH to avoid problems 6 years ago
README build: README punctuation pendantry 6 years ago
feeds.conf.default feeds: switch git.lede-project.org URLs to git.openwrt.org 6 years ago
rules.mk librpc: remove package 5 years ago

README

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------

This is the buildsystem for the OpenWrt Linux distribution.

To build your own firmware you need a Linux, BSD or MacOSX system (case
sensitive filesystem required). Cygwin is unsupported because of the lack
of a case sensitive file system.

You need gcc, binutils, bzip2, flex, python, perl, make, find, grep, diff,
unzip, gawk, getopt, subversion, libz-dev and libc headers installed.

1. Run "./scripts/feeds update -a" to obtain all the latest package definitions
defined in feeds.conf / feeds.conf.default

2. Run "./scripts/feeds install -a" to install symlinks for all obtained
packages into package/feeds/

3. Run "make menuconfig" to select your preferred configuration for the
toolchain, target system & firmware packages.

4. Run "make" to build your firmware. This will download all sources, build
the cross-compile toolchain and then cross-compile the Linux kernel & all
chosen applications for your target system.

Sunshine!
	Your OpenWrt Community
	http://www.openwrt.org