Security update for hostapd (moderate)

An update that fixes 7 vulnerabilities is now available.

Description:

This update for hostapd fixes the following issues:

hostapd was updated to version 2.9:

• SAE changes
  • disable use of groups using Brainpool curves
  • improved protection against side channel attacks
    [https://w1.fi/security/2019-6/]
• EAP-pwd changes
  • disable use of groups using Brainpool curves
  • improved protection against side channel attacks
    [https://w1.fi/security/2019-6/]
• fixed FT-EAP initial mobility domain association using PMKSA caching
• added configuration of airtime policy
• fixed FILS to and RSNE into (Re)Association Response frames
• fixed DPP bootstrapping URI parser of channel list
• added support for regulatory WMM limitation (for ETSI)
• added support for MACsec Key Agreement using IEEE 802.1X/PSK
• added experimental support for EAP-TEAP server (RFC 7170)
• added experimental support for EAP-TLS server with TLS v1.3
• added support for two server certificates/keys (RSA/ECC)
• added AKMSuiteSelector into “STA <addr>” control interface data to
  determine with AKM was used for an association
• added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and
  fast reauthentication use to be disabled
• fixed an ECDH operation corner case with OpenSSL

Update to version 2.8

• SAE changes
  • added support for SAE Password Identifier
  • changed default configuration to enable only group 19 (i.e., disable
    groups 20, 21, 25, 26 from default configuration) and disable all
    unsuitable groups completely based on REVmd changes
  • improved anti-clogging token mechanism and SAE authentication frame
    processing during heavy CPU load; this mitigates some issues with
    potential DoS attacks trying to flood an AP with large number
    of SAE messages
  • added Finite Cyclic Group field in status code 77 responses
  • reject use of unsuitable groups based on new implementation guidance
    in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups
    with prime >= 256)
  • minimize timing and memory use differences in PWE derivation
    [https://w1.fi/security/2019-1/] (CVE-2019-9494)
  • fixed confirm message validation in error cases
    [https://w1.fi/security/2019-3/] (CVE-2019-9496)
• EAP-pwd changes
  • minimize timing and memory use differences in PWE derivation
    [https://w1.fi/security/2019-2/] (CVE-2019-9495)
  • verify peer scalar/element [https://w1.fi/security/2019-4/]
    (CVE-2019-9497 and CVE-2019-9498)
  • fix message reassembly issue with unexpected fragment
    [https://w1.fi/security/2019-5/]
  • enforce rand,mask generation rules more strictly
  • fix a memory leak in PWE derivation
  • disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27)
• Hotspot 2.0 changes
  • added support for release number 3
  • reject release 2 or newer association without PMF
• added support for RSN operating channel validation (CONFIG_OCV=y and
  configuration parameter ocv=1)
• added Multi-AP protocol support
• added FTM responder configuration
• fixed build with LibreSSL
• added FT/RRB workaround for short Ethernet frame padding
• fixed KEK2 derivation for FILS+FT
• added RSSI-based association rejection from OCE
• extended beacon reporting functionality
• VLAN changes
  • allow local VLAN management with remote RADIUS authentication
  • add WPA/WPA2 passphrase/PSK -based VLAN assignment
• OpenSSL: allow systemwide policies to be overridden
• extended PEAP to derive EMSK to enable use with ERP/FILS
• extended WPS to allow SAE configuration to be added automatically for
  PSK (wps_cred_add_sae=1)
• fixed FT and SA Query Action frame with AP-MLME-in-driver cases
• OWE: allow Diffie-Hellman Parameter element to be included with DPP in
  preparation for DPP protocol extension
• RADIUS server: started to accept ERP keyName-NAI as user identity
  automatically without matching EAP database entry
• fixed PTK rekeying with FILS and FT

wpa_supplicant:

• SAE changes
  • added support for SAE Password Identifier
  • changed default configuration to enable only groups 19, 20, 21 (i.e.,
    disable groups 25 and 26) and disable all unsuitable groups completely
    based on REVmd changes
  • do not regenerate PWE unnecessarily when the AP uses the anti-clogging
    token mechanisms
  • fixed some association cases where both SAE and FT-SAE were enabled
    on both the station and the selected AP
  • started to prefer FT-SAE over SAE AKM if both are enabled
  • started to prefer FT-SAE over FT-PSK if both are enabled
  • fixed FT-SAE when SAE PMKSA caching is used
  • reject use of unsuitable groups based on new implementation guidance
    in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups
    with prime >= 256)
  • minimize timing and memory use differences in PWE derivation
    [https://w1.fi/security/2019-1/] (CVE-2019-9494)
• EAP-pwd changes
  • minimize timing and memory use differences in PWE derivation
    [https://w1.fi/security/2019-2/] (CVE-2019-9495)
  • verify server scalar/element [https://w1.fi/security/2019-4/]
    (CVE-2019-9499)
  • fix message reassembly issue with unexpected fragment
    [https://w1.fi/security/2019-5/]
  • enforce rand,mask generation rules more strictly
  • fix a memory leak in PWE derivation
  • disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27)
• fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
• Hotspot 2.0 changes
  • do not indicate release number that is higher than the one AP supports
  • added support for release number 3
  • enable PMF automatically for network profiles created from credentials
• fixed OWE network profile saving
• fixed DPP network profile saving
• added support for RSN operating channel validation (CONFIG_OCV=y and
  network profile parameter ocv=1)
• added Multi-AP backhaul STA support
• fixed build with LibreSSL
• number of MKA/MACsec fixes and extensions
• extended domain_match and domain_suffix_match to allow list of values
• fixed dNSName matching in domain_match and domain_suffix_match when
  using wolfSSL
• started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are
  enabled
• extended nl80211 Connect and external authentication to support SAE,
  FT-SAE, FT-EAP-SHA384
• fixed KEK2 derivation for FILS+FT
• extended client_cert file to allow loading of a chain of PEM encoded
  certificates
• extended beacon reporting functionality
• extended D-Bus interface with number of new properties
• fixed a regression in FT-over-DS with mac80211-based drivers
• OpenSSL: allow systemwide policies to be overridden
• extended driver flags indication for separate 802.1X and PSK 4-way
  handshake offload capability
• added support for random P2P Device/Interface Address use
• extended PEAP to derive EMSK to enable use with ERP/FILS
• extended WPS to allow SAE configuration to be added automatically for
  PSK (wps_cred_add_sae=1)
• removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
• extended domain_match and domain_suffix_match to allow list of values
• added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP
  KeyID using incorrect byte order
• fixed PTK rekeying with FILS and FT

• Enabled CLI editing and history support.

Update to version 2.7

• fixed WPA packet number reuse with replayed messages and key
  reinstallation [http://w1.fi/security/2017-1/] (CVE-2017-13082)
  (boo#1056061)
• added support for FILS (IEEE 802.11ai) shared key authentication
• added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and
  transition mode defined by WFA)
• added support for DPP (Wi-Fi Device Provisioning Protocol)
• FT:
  • added local generation of PMK-R0/PMK-R1 for FT-PSK
    (ft_psk_generate_local=1)
  • replaced inter-AP protocol with a cleaner design that is more easily
    extensible; this breaks backward compatibility and requires all APs in
    the ESS to be updated at the same time to maintain FT functionality
  • added support for wildcard R0KH/R1KH
  • replaced r0_key_lifetime (minutes) parameter with ft_r0_key_lifetime
    (seconds)
  • fixed wpa_psk_file use for FT-PSK
  • fixed FT-SAE PMKID matching
  • added expiration to PMK-R0 and PMK-R1 cache
  • added IEEE VLAN support (including tagged VLANs)
  • added support for SHA384 based AKM
• SAE
  • fixed some PMKSA caching cases with SAE
  • added support for configuring SAE password separately of the WPA2
    PSK/passphrase
  • added option to require MFP for SAE associations (sae_require_pmf=1)
  • fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for
    SAE; note: this is not backwards compatible, i.e., both the AP and
    station side implementations will need to be update at the same time
    to maintain interoperability
  • added support for Password Identifier
• hostapd_cli: added support for command history and completion
• added support for requesting beacon report
• large number of other fixes, cleanup, and extensions
• added option to configure EAPOL-Key retry limits (wpa_group_update_count
  and wpa_pairwise_update_count)
• removed all PeerKey functionality
• fixed nl80211 AP mode configuration regression with Linux 4.15 and newer
• added support for using wolfSSL cryptographic library
• fixed some 20/40 MHz coexistence cases where the BSS could drop to 20
  MHz even when 40 MHz would be allowed
• Hotspot 2.0
  • added support for setting Venue URL ANQP-element (venue_url)
  • added support for advertising Hotspot 2.0 operator icons
  • added support for Roaming Consortium Selection element
  • added support for Terms and Conditions
  • added support for OSEN connection in a shared RSN BSS
• added support for using OpenSSL 1.1.1
• added EAP-pwd server support for salted passwords

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.1:

  zypper in -t patch openSUSE-2020-222=1

• openSUSE Backports SLE-15-SP1:

  zypper in -t patch openSUSE-2020-222=1

• openSUSE Backports SLE-15:

  zypper in -t patch openSUSE-2020-222=1