After a year and a half of development, hostapd/wpa_supplicant 2.10 released, a suite to withstand the wireless protocols IEEE 802.1X, WPA, WPA2, WPA3 and EAP, which consists of the wpa_supplicant application to connect to a wireless network as a client and the hostapd background process to provide an access point and authentication server that includes components such as WPA Authenticator, RADIUS authentication client/server, server EAP.
In addition to functional changes, the new version blocks a new attack vector through third-party channels, affecting the SAE (Simultaneous Authentication of Equals) connection negotiation method and the EAP-pwd protocol.
And it is that the solved vulnerability allowed a attacker with the ability to execute code without privileges on a user's system that connects to a wireless network can obtain information about the characteristics of a password by tracking activity on the system and use it to simplify offline password guessing.
The problem is caused by leaking information about password characteristics through third-party channels, which allow, using indirect data, such as changes in delays during operations, to clarify the correctness of the choice of parts of the password in the process of their selection.
Unlike similar issues that were fixed in 2019, the new vulnerability is due to the fact that the external cryptographic primitives used in the function crypto_ec_point_solve_and_coord() did not provide a consistent operation time, regardless of the nature of the data being processed.
Based on analysis of processor cache behavior, an attacker with the ability to execute unprivileged code on the same processor core could obtain information about the progress of password operations in SAE/EAP-pwd. All versions of wpa_supplicant and hostapd built with support for SAE (CONFIG_SAE=y) and EAP-pwd (CONFIG_EAP_PWD=y) are affected.
As for other changes that were implemented in the new version added the ability to compile with the OpenSSL 3.0 cryptographic library.
The Beacon Protection mechanism proposed in the update of the WPA3 specification, designed to protect against active attacks on a wireless network that manipulate Beacon frame changes.
We can also find that added support for DPP 2 (Wi-Fi Device Provisioning Protocol), which defines the public key authentication method used in the WPA3 standard to organize the simplified configuration of devices without a screen interface. Setup is done using another more advanced device that is already connected to a wireless network.
Besides it added support for TLS 1.3 to the EAP-TLS implementation (disabled by default).
Added new settings (max_auth_rounds, max_auth_rounds_short) to change the limits on the number of EAP messages in the authentication process (the limits may need to be changed when using very large certificates).
compatibility with WEP is removed from builds by default (Rebuild with option CONFIG_WEP=y is required to return WEP support.) Removed deprecated functionality related to IAPP (Access Point Protocol). Removed support for libnl 1.1. Added compiler option CONFIG_NO_TKIP=y to compile without TKIP support.
Fixed vulnerabilities in UPnP implementation (CVE-2020-12695), in the P2P/Wi-Fi Direct driver (CVE-2021-27803), and in the PMF security mechanism (CVE-2019-16275).
Hostapd-specific changes include expanding support for HEW (High-Efficiency Wireless, IEEE 802.11ax) wireless networks, including the ability to use the 6 GHz frequency band.
Of the other changes that stand out:
- Added support for Extended Key ID (IEEE 802.11-2016).
- Support for the SAE-PK (SAE Public Key) security mechanism has been added to the implementation of the SAE connection negotiation method.
- The instant confirmation send mode, enabled by the "sae_config_immediate=1" option, is implemented, as well as the hash-to-element mechanism, enabled when the sae_pwe parameter is set to 1 or 2.
- Added support for the PASN (Pre-Association Security Negotiation) mechanism to establish a secure connection and protect the exchange of control frames at an early stage of the connection.
- The transition disable mechanism, which allows you to automatically disable roaming mode, allowing you to switch between access points as you move, has been implemented to improve security.
Finally if you are interested in knowing more about it, you can check the details in the following link