SAE H2E and incomplete downgrade protection for group negotiation

Published: July 31, 2024
Latest version available from: https://w1.fi/security/2024-2/

Vulnerability

A vulnerability in hostapd implementation of rejected groups information
processing for SAE (Simultaneous Authentication of Equals) with
hash-to-element (H2E) option was discovered. This allows an attacker to
modify SAE commit messages in a manner that can bypass downgrade
protection for group negotiation in certain cases. A similar issue in
the wpa_supplicant implementation can extend applicability of the issue
for additional cases when performing SAE H2E with a vulnerable hostapd
implementation.

This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.


Vulnerable versions/configurations

wpa_supplicant and hostapd v2.10 with SAE support (CONFIG_SAE=y in the
build configuration and in the runtime configuration), SAE H2E enabled
(sae_pwe set to 1 or 2 in runtime configuration or by using SAE password
identifiers), and multiple SAE groups enabled (sae_groups runtime
configuration with more than one group listed). The hostapd default for
the sae_groups parameter is to enable only a single group, so an
explicit configuration change is needed for this to be applicable. The
wpa_supplicant default for sae_groups is to enable groups 19, 20, and
21, so no explicit configuration change would be needed for this to be
applicable within those groups.


Acknowledgments

Thanks to Muhammad Daniyal Pirwani Dar (Stony Brook University), Mathy
Vanhoef (KU Leuven), and Omar Chowdhury (Stony Brook University) for
discovering and reporting the issue.


Possible mitigation steps

- Update to wpa_supplicant/hostapd v2.11 or newer

- Merge the following commits to an earlier wpa_supplicant/hostapd
  version and rebuild:

https://w1.fi/cgit/hostap/commit/?id=364c2da8741f0979dae497551e70b94c0e6c8636
SAE: Check for invalid Rejected Groups element length explicitly

https://w1.fi/cgit/hostap/commit/?id=593a7c2f8c93edd6b552f2d42e28164464b4e6ff
SAE: Check for invalid Rejected Groups element length explicitly on STA

https://w1.fi/cgit/hostap/commit/?id=9716bf1160beb677e965d9e6475d6c9e162e8374
SAE: Reject invalid Rejected Groups element in the parser