Earlier this year in April, two security researchers disclosed details about five vulnerabilities (collectively known as Dragonblood) in the WiFi Alliance’s recently launched WPA3 WiFi security and authentication standard.
Yesterday, the same security researchers disclosed two new additional bugs impacting the same standard.
The two researchers — Mathy Vanhoef and Eyal Ronen — found these two new bugs in the security recommendations the WiFi Alliance created for equipment vendors in order to mitigate the initial Dragonblood attacks.
Just like the original Dragonblood vulnerabilities from April, these two new ones allow attackers to leak information from WPA3 cryptographic operations and brute-force a WiFi network’s password.
The two bugs explained
The first bug is CVE-2019-13377 and this impacts the WPA3’s Dragonfly handshake when using Brainpool curves.
Dragonfly is the key exchange mechanism through which users authenticate on a WPA3 router or access point. In April, Vanhoef and Ronen found that Dragonfly key exchanges that relied on P-521 elliptic curves could be downgraded to use the weaker P-256. As a result, the WiFi Alliance recommended that vendors use the stronger Brainpool curves as part of the Dragonfly algorithms.
“However, we found that using Brainpool curves introduces a second class of side-channel leaks in the Dragonfly handshake of WPA3,” the two researchers explained. “We confirmed the new Brainpool leak in practice against the lastest Hostapd version, and were able to brute-force the password using the leaked information.”
The second bug is CVE-2019-13456 and this impacts the EAP-pwd implementation in the FreeRADIUS framework — used by many vendors to support WiFi connectivity.
EAP-pwd (Extensible Authentication Protocol) is an authentication system supported in the previous WPA and WPA2 WiFi authentication standards, that is also supported for legacy purposes in WPA3.
Just like the previous bug, there is an information leak in the EAP-pwd authentication process on some FreeRADIUS-supported devices, which allows attackers to recover passwords.
WiFi Alliance’s closed standards development
The researchers said they reported these two new bugs to the WiFi Alliance.
“[The] Wi-Fi standard is now being updated with proper defenses, which might lead to WPA3.1,” Vanhoef said.
“Although this update is not backwards-compatible with current deployments of WPA3, it does prevent most of our attacks,” the researchers said.
But besides just disclosing the two new Dragonblood vulnerabilities, the two researchers also took the chance to criticize the WiFi Alliance again for its closed standards development process that doesn’t allow for the open-source community to contribute and prevent big vulnerabilities from making it into the standard in the first place.
“This demonstrates that implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard,” the researchers said. “It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept.”
While these type of feedback might be ignored when coming from other researchers, it means more when it comes from Vanhoef. The Belgian researchers is the one who discovered the KRACK attack that broke the WPA2 WiFi authentication standard and forced the WiFi Alliance to develop the WPA3 standard, which it launched in June 2018.
Details about the two new Dragonblood vulnerabilities are available in an updated version of the Dragonblood white paper.
More vulnerability reports: