SAE/EAP-pwd side-channel attack update 2 Published: January 16, 2022 Latest version available from: https://w1.fi/security/2022-1/ This is an update on earlier security advisories 2019-1 and 2019-2. Please see those advisories for more details in the issues. https://w1.fi/security/2019-1/ https://w1.fi/security/2019-2/ Vulnerability hostapd and wpa_supplicant security advisories 2019-1 and 2019-2 addressed side-channel attacks related to SAE and EAP-pwd. The improvements identified in those advisories made it more difficult to observe external differences in timing or memory access to mitigate against this type of attacks. However, the identified changes did not remove all differences. The external crypto library functions used to implement crypto_ec_point_solve_y_coord() might not use a constant time design and as such, might enable some side-channel channel attacks. In particular, a potential new cache-based attack has been described that could allow an attacker that is able to run unprivileged code on the same processor might be able to gain enough information from the SAE/EAP-pwd operations to be able to perform an offline dictionary attack that could work against sufficiently weak passwords. Vulnerable versions/configurations All wpa_supplicant and hostapd versions with SAE support (CONFIG_SAE=y in the build configuration and in the runtime configuration). All wpa_supplicant and hostapd versions with EAP-pwd support (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled in the runtime configuration). Acknowledgments Thanks to Daniel De Almeida Braga, Mohamed Sabt, and Pierre-Alain Fouque (all affiliated to the University of Rennes 1, IRISA, France) for discovering and reporting the issue. Possible mitigation steps - Update to wpa_supplicant/hostapd v2.10 or newer - Merge the following commits to wpa_supplicant/hostapd v2.9 and rebuild: crypto: Add more bignum/EC helper functions dragonfly: Add sqrt() helper function SAE: Derive the y coordinate for PWE with own implementation EAP-pwd: Derive the y coordinate for PWE with own implementation These patches are available from https://w1.fi/security/2022-1/