Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831332 (CVE-2022-23303, CVE-2022-23304) - <net-wireless/hostapd-2.10, <net-wireless/wpa_supplicant-2.10: SAE/EAP-pwd side-channel attack
Summary: <net-wireless/hostapd-2.10, <net-wireless/wpa_supplicant-2.10: SAE/EAP-pwd si...
Status: IN_PROGRESS
Alias: CVE-2022-23303, CVE-2022-23304
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B3 [glsa? cleanup]
Keywords:
Depends on: 833576 834461
Blocks:
  Show dependency tree
 
Reported: 2022-01-17 02:12 UTC by Sam James
Modified: 2022-03-18 01:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-17 02:12:24 UTC
See https://www.openwall.com/lists/oss-security/2022/01/16/2.

```
Published: January 16, 2022
Latest version available from: https://w1.fi/security/2022-1/

This is an update on earlier security advisories 2019-1 and
2019-2. Please see those advisories for more details in the issues.
https://w1.fi/security/2019-1/
https://w1.fi/security/2019-2/

Vulnerability

hostapd and wpa_supplicant security advisories 2019-1 and 2019-2
addressed side-channel attacks related to SAE and EAP-pwd. The
improvements identified in those advisories made it more difficult to
observe external differences in timing or memory access to mitigate
against this type of attacks. However, the identified changes did not
remove all differences. The external crypto library functions used to
implement crypto_ec_point_solve_y_coord() might not use a constant time
design and as such, might enable some side-channel channel attacks.

In particular, a potential new cache-based attack has been described
that could allow an attacker that is able to run unprivileged code on
the same processor might be able to gain enough information from the
SAE/EAP-pwd operations to be able to perform an offline dictionary attack
that could work against sufficiently weak passwords.


Vulnerable versions/configurations

All wpa_supplicant and hostapd versions with SAE support (CONFIG_SAE=y
in the build configuration and in the runtime configuration).

All wpa_supplicant and hostapd versions with EAP-pwd support
(CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
in the runtime configuration).


Acknowledgments

Thanks to Daniel De Almeida Braga, Mohamed Sabt, and Pierre-Alain Fouque
(all affiliated to the University of Rennes 1, IRISA, France) for
discovering and reporting the issue.


Possible mitigation steps

- Update to wpa_supplicant/hostapd v2.10 or newer

- Merge the following commits to wpa_supplicant/hostapd v2.9 and
  rebuild:
  crypto: Add more bignum/EC helper functions
  dragonfly: Add sqrt() helper function
  SAE: Derive the y coordinate for PWE with own implementation
  EAP-pwd: Derive the y coordinate for PWE with own implementation

  These patches are available from https://w1.fi/security/2022-1/
```
Comment 1 Larry the Git Cow gentoo-dev 2022-01-17 02:20:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=744939bdfc1a0a6296c709d4382d3676abdb2b66

commit 744939bdfc1a0a6296c709d4382d3676abdb2b66
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-17 02:14:09 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-17 02:20:13 +0000

    net-wireless/wpa_supplicant: add 2.10 (security bump)
    
    Bug: https://bugs.gentoo.org/831332
    Closes: https://bugs.gentoo.org/829180
    Signed-off-by: Sam James <sam@gentoo.org>

 net-wireless/wpa_supplicant/Manifest               |   1 +
 .../wpa_supplicant/wpa_supplicant-2.10.ebuild      | 478 +++++++++++++++++++++
 .../wpa_supplicant/wpa_supplicant-9999.ebuild      |  10 +-
 3 files changed, 482 insertions(+), 7 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=897e3fc7404602f02dd84b9258b6812a0167e99e

commit 897e3fc7404602f02dd84b9258b6812a0167e99e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-17 02:12:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-17 02:20:12 +0000

    net-wireless/hostapd: add 2.10 (security bump)
    
    Bug: https://bugs.gentoo.org/816957
    Bug: https://bugs.gentoo.org/831332
    Signed-off-by: Sam James <sam@gentoo.org>

 net-wireless/hostapd/Manifest            |   1 +
 net-wireless/hostapd/hostapd-2.10.ebuild | 262 +++++++++++++++++++++++++++++++
 net-wireless/hostapd/hostapd-9999.ebuild |  17 +-
 3 files changed, 270 insertions(+), 10 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2022-03-17 02:15:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=093594dc110993c6f0b2cefe5935d56977e4ee37

commit 093594dc110993c6f0b2cefe5935d56977e4ee37
Author:     Rick Farina <zerochaos@gentoo.org>
AuthorDate: 2022-03-17 02:01:30 +0000
Commit:     Rick Farina <zerochaos@gentoo.org>
CommitDate: 2022-03-17 02:15:46 +0000

    net-wireless/wpa_supplicant: drop 2.9-r4, 2.9-r5, 2.9-r8
    
    Signed-off-by: Rick Farina <zerochaos@gentoo.org>
    Bug: https://bugs.gentoo.org/831332

 net-wireless/wpa_supplicant/Manifest               |   1 -
 .../wpa_supplicant/wpa_supplicant-2.9-r4.ebuild    | 465 -------------------
 .../wpa_supplicant/wpa_supplicant-2.9-r5.ebuild    | 471 --------------------
 .../wpa_supplicant/wpa_supplicant-2.9-r8.ebuild    | 490 ---------------------
 4 files changed, 1427 deletions(-)