CVE-2019-13377

Vulnerability

The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.9 (prior to the August 2019 updates) are vulnerable to side-channel attacks when Brainpool curves are used. Observable timing differences and cache access patterns during password element derivation can leak information to a remote attacker. This affects versions using the Brainpool P256r1, P384r1, P512r1 curves, as referenced in [1] and [2].

Exploitation

An attacker positioned on the same network as the victim (or with the ability to observe timing/cache behavior across a shared resource) can perform a side-channel attack. The attack requires no authentication and no user interaction beyond the victim connecting to the attacker's rogue AP (or the attacker connecting to a legitimate AP using EAP-pwd). The attacker passively observes the password derivation computation and uses statistical analysis over multiple sessions to recover the password. The attack does not require write access or a race condition; it is purely observational.

Impact

Successful recovery of the EAP-pwd password allows the attacker to impersonate the victim on the network, gain unauthorized access to protected resources, or compromise the confidentiality of communications. The password is used for authentication in EAP-pwd and SAE; full password recovery gives the attacker the same privileges as the legitimate user.

Mitigation

The vulnerability is fixed in hostapd 2.9 and wpa_supplicant 2.9 (and later versions), as released in Ubuntu USN-4098-1 [1] and Fedora updates [2]. Users should upgrade to these patched versions. No workarounds are available; the fix requires updating the software. The issue is also addressed in the upstream wpa_supplicant/hostapd repository.