Wind River Support Network

HomeSafety and Security NoticesWind River Linux Security Alert for hostap(hostapd and wpa_supplicant)

Recommended

Wind River Linux Security Alert for hostap(hostapd and wpa_supplicant)

Released: --

Summary

several WPA3 design issues and implementation vulnerabilities in hostapd and wpa_supplicant been find and effect on all our supporting release(CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499).

Affected Product Versions

Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 8, Wind River Linux 7

Description

Multiple vulnerabilities have been identified in WPA3 protocol design and implementations of hostapd and wpa_supplicant, which can allow a remote attacker to acquire a weak password, conduct a denial of service, or gain complete authorization. These vulnerabilities have also been referred to as Dragonblood.

CERT continues to review the WPA3 protocol in support of this body of research. The root cause of the numerous "implementation" vulnerabilities may involve modifying the protocol.

WPA3 uses Simultaneous Authentication of Equals (SAE), also known as Dragonfly Key Exchange, as the initial key exchange protocol, replacing WPA2's Pre-Shared Key (PSK) protocol. hostapd is a daemon for access point and authentication servers used by WPA3 authentication. wpa_supplicant is a wireless supplicant that implements key negotiation with the WPA Authenticator and supports WPA3. Both of these components, as implemented with Extensible Authentication Protocol Password (EAP-PWD )and SAE, are vulnerable.

CVE-2019-9494
CVE-2019-9495
CVE-2019-9496
CVE-2019-9497
CVE-2019-9498
CVE-2019-9499

Is Wind River Linux affected by these CVE issues?

Wind River Linux 7, Wind River Linux 8, Wind River Linux 9, Wind River Linux LTS 17, Wind River Linux LTS 18. Vulnerable source code exist in all these releases while for related user space packages, CONFIG_SAE or CONFIG_EAP_PWD is not enabled by default, so you don't enable these two options manually, your binary is safe, not affected by these CVE issues.

Wind River will continue to monitor the various Open Source projects and will incorporate fixes as appropriate to supported products.

What software is known to be affected by these CVEs?

User space package wpa-supplicant and hostapd are vulnerable to these CVEs if their configure option CONFIG_SAE or CONFIG_EAP_PWD is enabled manually. By default, these two options are disabled.

Mitigation

For user space package wpa-supplicant and hostapd, if you enable CONFIG_SAE or CONFIG_EAP_PWD manually, you need to:

Update wpa_supplicant/hostapd with source patches of this web page, once available

Use strong passwords to prevent dictionary attacks

Additional References

CVE-2019-9494 https://w1.fi/security/2019-1/
CVE-2019-9495 https://w1.fi/security/2019-2/
CVE-2019-9496 https://w1.fi/security/2019-3/
CVE-2019-9497 https://w1.fi/security/2019-4/
CVE-2019-9498 https://w1.fi/security/2019-4/
CVE-2019-9499 https://w1.fi/security/2019-4/

Installation Notes

Since these CVE issues are not activated by default, we will judge and try to integrate related patches if any customer really need to enable CONFIG_SAE or CONFIG_EAP_PWD in these old releases.