Wind River Support Network

HomeSafety and Security NoticesWind River Linux Security Alert for hostap(hostapd and wpa_supplicant)

Wind River Linux Security Alert for hostap(hostapd and wpa_supplicant)

Released: --


several WPA3 design issues and implementation vulnerabilities in hostapd and wpa_supplicant been find and effect on all our supporting release(CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499).

Affected Product Versions

Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 8, Wind River Linux 7


Multiple vulnerabilities have been identified in WPA3 protocol design and implementations of hostapd and wpa_supplicant, which can allow a remote attacker to acquire a weak password, conduct a denial of service, or gain complete authorization. These vulnerabilities have also been referred to as Dragonblood.

CERT continues to review the WPA3 protocol in support of this body of research. The root cause of the numerous "implementation" vulnerabilities may involve modifying the protocol.

WPA3 uses Simultaneous Authentication of Equals (SAE), also known as Dragonfly Key Exchange, as the initial key exchange protocol, replacing WPA2's Pre-Shared Key (PSK) protocol. hostapd is a daemon for access point and authentication servers used by WPA3 authentication. wpa_supplicant is a wireless supplicant that implements key negotiation with the WPA Authenticator and supports WPA3. Both of these components, as implemented with Extensible Authentication Protocol Password (EAP-PWD )and SAE, are vulnerable.

  • CVE-2019-9494
  • CVE-2019-9495
  • CVE-2019-9496
  • CVE-2019-9497
  • CVE-2019-9498
  • CVE-2019-9499

Is Wind River Linux affected by these CVE issues?

Wind River Linux 7, Wind River Linux 8, Wind River Linux 9, Wind River Linux LTS 17, Wind River Linux LTS 18. Vulnerable source code exist in all these releases while for related user space packages, CONFIG_SAE or CONFIG_EAP_PWD is not enabled by default, so you don't enable these two options manually, your binary is safe, not affected by these CVE issues.

Wind River will continue to monitor the various Open Source projects and will incorporate fixes as appropriate to supported products.

What software is known to be affected by these CVEs?

User space package wpa-supplicant and hostapd are vulnerable to these CVEs if their configure option CONFIG_SAE or CONFIG_EAP_PWD is enabled manually. By default, these two options are disabled.


For user space package wpa-supplicant and hostapd, if you enable CONFIG_SAE or CONFIG_EAP_PWD manually, you need to:
  • Update wpa_supplicant/hostapd with source patches of this web page, once available
  • Use strong passwords to prevent dictionary attacks

Additional References

Installation Notes

Since these CVE issues are not activated by default, we will judge and try to integrate related patches if any customer really need to enable CONFIG_SAE or CONFIG_EAP_PWD in these old releases.

Live chat