-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2019-002 CVE: CVE-2019-9494 Publication Date: 2019-Apr-13 Status: Not affected Revision: 1 Title ===== WPA3 Multiple Vulnerabilities Overview ======== On April 10, 2019 a research paper by Mathy Vanhoef and Eyal Ronen was released documenting a series of potential vulnerabilities in implementations of WPA3 and EAP-pwd (RFC 5931). Details on EAP-pwd vulnerabilities have not yet been released. This advisory covers only WPA3 vulnerabilities. Affected Products ================= None. Details ======= The issues described by the researcher only affect networks which are configured to use WPA3-Personal. The research paper is posted at https://wpa3.mathyvanhoef.com/. The researcher reported multiple distinct implementation issues: 1. Downgrade to WPA2 It is possible to downgrade the WPA3 level of security offered by SAE into WPA2-PSK, if a client/AP is willing to operate using WPA2-PSK. Aruba does not consider this an "attack" since the network has been specifically configured to support WPA2. The behavior can be eliminated by disabling transition mode. 2. Cache-based Side-Channel Attack (CVE-2019-9494) This type of attack cannot be exploited on Aruba products because there is no ability to run arbitrary code on the same CPU that is processing SAE operations. 3. Resource Consumption / Denial of Service Attack Aruba products are sufficiently hardened against such an attack. Processing of SAE is performed by a worker thread which is not permitted to take full control of the CPU. 4. Timing-based Side Channel Attack (CVE-2019-9494) Aruba's implementation of SAE does not support multiplicative groups. Only elliptic curve groups are supported. 5. Group Downgrade Attack Aruba's implementation of SAE does not support weak groups. Resolution ========== No action required. Revision History ================ Revision 1 / 2019-Apr-13 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2019 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAlyyVwkACgkQmP4JykWF htkrsgf/R8ron0vJQY6tCpyIn0xprxhLa5jjo6lkdFyGoRhjQdTfZ3Rr0f9sDpku 4kFT0u7Js1CtP0Yhk8fh07uJypuWzLYrFijr35XRZkVm45dAMnRovQ9KbTCVUnCT EajmCnUrwm9xNT9gS7gYwlKFambhIaKp9vYbpy4smi96OpqKRHf7CKHabvsE73wT juAnMklxDDz8klgvz3D1ScWIlU65PMJiKl/nnRK6LGZe7dWDbJRx5xIyBYQ8TuU7 axtHRN0JtUzyyqVAHelf1YBBRU4Mh87iwpig3lm8RBDlVZOo4CipfUnBVJLIEAvO M7h5WcASz+r9IMGNI2FNl+XjGb5zDw== =ex/P -----END PGP SIGNATURE-----