Published: July 31, 2024 Latest version available from: https://w1.fi/security/2024-2/ Vulnerability A vulnerability in hostapd implementation of rejected groups information processing for SAE (Simultaneous Authentication of Equals) with hash-to-element (H2E) option was discovered. This allows an attacker to modify SAE commit messages in a manner that can bypass downgrade protection for group negotiation in certain cases. A similar issue in the wpa_supplicant implementation can extend applicability of the issue for additional cases when performing SAE H2E with a vulnerable hostapd implementation. This vulnerability allows the attacker to downgrade the negotiated group to another enabled group if both the AP and STA have enabled SAE H2E and multiple groups. It should be noted that the H2E option is not enabled by default and the attack is not applicable to the default option, i.e., hunting-and-pecking, since it does not have any downgrade protection for group negotiation. In addition, the default configuration for enabled SAE groups in hostapd is to enable only a single group, so the vulnerability is not applicable unless hostapd has been explicitly configured to enable more groups for SAE. Vulnerable versions/configurations wpa_supplicant and hostapd v2.10 with SAE support (CONFIG_SAE=y in the build configuration and in the runtime configuration), SAE H2E enabled (sae_pwe set to 1 or 2 in runtime configuration or by using SAE password identifiers), and multiple SAE groups enabled (sae_groups runtime configuration with more than one group listed). The hostapd default for the sae_groups parameter is to enable only a single group, so an explicit configuration change is needed for this to be applicable. The wpa_supplicant default for sae_groups is to enable groups 19, 20, and 21, so no explicit configuration change would be needed for this to be applicable within those groups. Acknowledgments Thanks to Muhammad Daniyal Pirwani Dar (Stony Brook University), Mathy Vanhoef (KU Leuven), and Omar Chowdhury (Stony Brook University) for discovering and reporting the issue. Possible mitigation steps - Update to wpa_supplicant/hostapd v2.11 or newer - Merge the following commits to an earlier wpa_supplicant/hostapd version and rebuild: https://w1.fi/cgit/hostap/commit/?id=364c2da8741f0979dae497551e70b94c0e6c8636 SAE: Check for invalid Rejected Groups element length explicitly https://w1.fi/cgit/hostap/commit/?id=593a7c2f8c93edd6b552f2d42e28164464b4e6ff SAE: Check for invalid Rejected Groups element length explicitly on STA https://w1.fi/cgit/hostap/commit/?id=9716bf1160beb677e965d9e6475d6c9e162e8374 SAE: Reject invalid Rejected Groups element in the parser -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap