SUSE Security Update: Security update for wpa_supplicant
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1853-1
Rating: important
References: #1131644 #1131868 #1131870 #1131871 #1131872
#1131874 #1133640 #1144443 #1156920 #1165266
#1166933 #1167331 #1182805 #1194732 #1194733
SLE-14992
Cross-References: CVE-2015-8041 CVE-2017-13077 CVE-2017-13078
CVE-2017-13079 CVE-2017-13080 CVE-2017-13081
CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088 CVE-2018-14526 CVE-2019-11555
CVE-2019-13377 CVE-2019-9494 CVE-2019-9495
CVE-2019-9497 CVE-2019-9498 CVE-2019-9499
CVE-2022-23303 CVE-2022-23304
CVSS scores:
CVE-2017-13077 (NVD) : 6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13077 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13078 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13078 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13079 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13079 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13080 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13080 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13081 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13081 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13082 (NVD) : 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13082 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13086 (NVD) : 6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13086 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13087 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13087 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13088 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13088 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2018-14526 (NVD) : 6.5 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2018-14526 (SUSE): 5.9 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CVE-2019-11555 (NVD) : 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2019-11555 (SUSE): 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2019-13377 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2019-13377 (SUSE): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2019-9494 (NVD) : 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2019-9494 (SUSE): 5.9 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CVE-2019-9495 (NVD) : 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2019-9495 (SUSE): 6.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
CVE-2019-9497 (NVD) : 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2019-9497 (SUSE): 3.1 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2019-9498 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2019-9498 (SUSE): 6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2019-9499 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2019-9499 (SUSE): 6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2022-23303 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-23303 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-23304 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-23304 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
HPE Helion Openstack 8
SUSE Linux Enterprise Server 12-SP2-BCL
SUSE Linux Enterprise Server 12-SP3-BCL
SUSE Linux Enterprise Server 12-SP3-LTSS
SUSE Linux Enterprise Server 12-SP4-LTSS
SUSE Linux Enterprise Server for SAP 12-SP3
SUSE Linux Enterprise Server for SAP 12-SP4
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________
An update that fixes 20 vulnerabilities, contains one
feature is now available.
Description:
This update for wpa_supplicant fixes the following issues:
- CVE-2022-23303, CVE-2022-23304: Fixed SAE/EAP-pwd side-channel attacks
(bsc#1194732, bsc#1194733)
- CVE-2021-0326: Fixed P2P group information processing vulnerability
(bsc#1181777)
- Fix systemd device ready dependencies in [email protected] file.
(bsc#1182805)
- Limit P2P_DEVICE name to appropriate ifname size
- Enable SAE support(jsc#SLE-14992).
- Fix wicked wlan (bsc#1156920)
- Change wpa_supplicant.service to ensure wpa_supplicant gets started
before network. Fix WLAN config on boot with wicked. (bsc#1166933)
- Adjust the service to start after network.target wrt bsc#1165266
Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled with
ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using [email protected] identity
* fixed Hotspot 2.0 credential selection based on roaming consortium to
ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X 4-way
handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21 (i.e.,
disable groups 25 and 26) and disable all unsuitable groups completely
based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the anti-clogging
token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups
with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)
- verify server scalar/element [https://w1.fi/security/2019-4/]
(CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874,
bsc#1131872, bsc#1131871, bsc#1131644)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27)
- SAE/EAP-pwd side-channel attack update
[https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one AP supports
- added support for release number 3
- enable PMF automatically for network profiles created from credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation (CONFIG_OCV=y and
network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are
enabled
* extended nl80211 Connect and external authentication to support SAE,
FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM encoded
certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK 4-way
handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically for
PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP
KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
* fixed WPA packet number reuse with replayed messages and key
reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
* fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
[https://w1.fi/security/2018-1/] (CVE-2018-14526)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and
transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* added support for RSA 3k key case with Suite B 192-bit level
* fixed Suite B PMKSA caching not to update PMKID during each 4-way
handshake
* fixed EAP-pwd pre-processing with PasswordHashHash
* added EAP-pwd client support for salted passwords
* fixed a regression in TDLS prohibited bit validation
* started to use estimated throughput to avoid undesired signal strength
based roaming decision
* MACsec/MKA:
- new macsec_linux driver interface support for the Linux kernel macsec
module
- number of fixes and extensions
* added support for external persistent storage of PMKSA cache
(PMKSA_GET/PMKSA_ADD control interface commands; and
MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
* fixed mesh channel configuration pri/sec switch case
* added support for beacon report
* large number of other fixes, cleanup, and extensions
* added support for randomizing local address for GAS queries
(gas_rand_mac_addr parameter)
* fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
* added option for using random WPS UUID (auto_uuid=1)
* added SHA256-hash support for OCSP certificate matching
* fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
* fixed a regression in RSN pre-authentication candidate selection
* added option to configure allowed group management cipher suites
(group_mgmt network profile parameter)
* removed all PeerKey functionality
* fixed nl80211 AP and mesh mode configuration regression with Linux 4.15
and newer
* added ap_isolate configuration option for AP mode
* added support for nl80211 to offload 4-way handshake into the driver
* added support for using wolfSSL cryptographic library
* SAE
- added support for configuring SAE password separately of the WPA2
PSK/passphrase
- fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for
SAE; note: this is not backwards compatible, i.e., both the AP and
station side implementations will need to be update at the same time
to maintain interoperability
- added support for Password Identifier
- fixed FT-SAE PMKID matching
* Hotspot 2.0
- added support for fetching of Operator Icon Metadata ANQP-element
- added support for Roaming Consortium Selection element
- added support for Terms and Conditions
- added support for OSEN connection in a shared RSN BSS
- added support for fetching Venue URL information
* added support for using OpenSSL 1.1.1
* FT
- disabled PMKSA caching with FT since it is not fully functional
- added support for SHA384 based AKM
- added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256
in addition to previously supported BIP-CMAC-128
- fixed additional IE inclusion in Reassociation Request frame when
using FT protocol
- CVE-2015-8041: Using O_WRONLY flag [https://w1.fi/security/2015-5/]
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud Crowbar 9:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-1853=1
- SUSE OpenStack Cloud Crowbar 8:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2022-1853=1
- SUSE OpenStack Cloud 9:
zypper in -t patch SUSE-OpenStack-Cloud-9-2022-1853=1
- SUSE OpenStack Cloud 8:
zypper in -t patch SUSE-OpenStack-Cloud-8-2022-1853=1
- SUSE Linux Enterprise Server for SAP 12-SP4:
zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-1853=1
- SUSE Linux Enterprise Server for SAP 12-SP3:
zypper in -t patch SUSE-SLE-SAP-12-SP3-2022-1853=1
- SUSE Linux Enterprise Server 12-SP4-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-1853=1
- SUSE Linux Enterprise Server 12-SP3-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2022-1853=1
- SUSE Linux Enterprise Server 12-SP3-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-1853=1
- SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-1853=1
- HPE Helion Openstack 8:
zypper in -t patch HPE-Helion-OpenStack-8-2022-1853=1
Package List:
- SUSE OpenStack Cloud Crowbar 9 (x86_64):
wpa_supplicant-2.9-15.22.1
wpa_supplicant-debuginfo-2.9-15.22.1
wpa_supplicant-debugsource-2.9-15.22.1
- SUSE OpenStack Cloud Crowbar 8 (x86_64):
wpa_supplicant-2.9-15.22.1
wpa_supplicant-debuginfo-2.9-15.22.1
wpa_supplicant-debugsource-2.9-15.22.1
- SUSE OpenStack Cloud 9 (x86_64):
wpa_supplicant-2.9-15.22.1
wpa_supplicant-debuginfo-2.9-15.22.1
wpa_supplicant-debugsource-2.9-15.22.1
- SUSE OpenStack Cloud 8 (x86_64):
wpa_supplicant-2.9-15.22.1
wpa_supplicant-debuginfo-2.9-15.22.1
wpa_supplicant-debugsource-2.9-15.22.1
- SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):
wpa_supplicant-2.9-15.22.1
wpa_supplicant-debuginfo-2.9-15.22.1
wpa_supplicant-debugsource-2.9-15.22.1
- SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):
wpa_supplicant-2.9-15.22.1
wpa_supplicant-debuginfo-2.9-15.22.1
wpa_supplicant-debugsource-2.9-15.22.1
- SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):
wpa_supplicant-2.9-15.22.1
wpa_supplicant-debuginfo-2.9-15.22.1
wpa_supplicant-debugsource-2.9-15.22.1
- SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64):
wpa_supplicant-2.9-15.22.1
wpa_supplicant-debuginfo-2.9-15.22.1
wpa_supplicant-debugsource-2.9-15.22.1
- SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):
wpa_supplicant-2.9-15.22.1
wpa_supplicant-debuginfo-2.9-15.22.1
wpa_supplicant-debugsource-2.9-15.22.1
- SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
wpa_supplicant-2.9-15.22.1
wpa_supplicant-debuginfo-2.9-15.22.1
wpa_supplicant-debugsource-2.9-15.22.1
- HPE Helion Openstack 8 (x86_64):
wpa_supplicant-2.9-15.22.1
wpa_supplicant-debuginfo-2.9-15.22.1
wpa_supplicant-debugsource-2.9-15.22.1
References:
https://www.suse.com/security/cve/CVE-2015-8041.html
https://www.suse.com/security/cve/CVE-2017-13077.html
https://www.suse.com/security/cve/CVE-2017-13078.html
https://www.suse.com/security/cve/CVE-2017-13079.html
https://www.suse.com/security/cve/CVE-2017-13080.html
https://www.suse.com/security/cve/CVE-2017-13081.html
https://www.suse.com/security/cve/CVE-2017-13082.html
https://www.suse.com/security/cve/CVE-2017-13086.html
https://www.suse.com/security/cve/CVE-2017-13087.html
https://www.suse.com/security/cve/CVE-2017-13088.html
https://www.suse.com/security/cve/CVE-2018-14526.html
https://www.suse.com/security/cve/CVE-2019-11555.html
https://www.suse.com/security/cve/CVE-2019-13377.html
https://www.suse.com/security/cve/CVE-2019-9494.html
https://www.suse.com/security/cve/CVE-2019-9495.html
https://www.suse.com/security/cve/CVE-2019-9497.html
https://www.suse.com/security/cve/CVE-2019-9498.html
https://www.suse.com/security/cve/CVE-2019-9499.html
https://www.suse.com/security/cve/CVE-2022-23303.html
https://www.suse.com/security/cve/CVE-2022-23304.html
https://bugzilla.suse.com/1131644
https://bugzilla.suse.com/1131868
https://bugzilla.suse.com/1131870
https://bugzilla.suse.com/1131871
https://bugzilla.suse.com/1131872
https://bugzilla.suse.com/1131874
https://bugzilla.suse.com/1133640
https://bugzilla.suse.com/1144443
https://bugzilla.suse.com/1156920
https://bugzilla.suse.com/1165266
https://bugzilla.suse.com/1166933
https://bugzilla.suse.com/1167331
https://bugzilla.suse.com/1182805
https://bugzilla.suse.com/1194732
https://bugzilla.suse.com/1194733
SUSE: 2022:1853-1 important: wpa_supplicant
May 26, 2022
An update that fixes 20 vulnerabilities, contains one feature is now available
Summary
This update for wpa_supplicant fixes the following issues: - CVE-2022-23303, CVE-2022-23304: Fixed SAE/EAP-pwd side-channel attacks (bsc#1194732, bsc#1194733) - CVE-2021-0326: Fixed P2P group information processing vulnerability (bsc#1181777) - Fix systemd device ready dependencies in [email protected] file. (bsc#1182805) - Limit P2P_DEVICE name to appropriate ifname size - Enable SAE support(jsc#SLE-14992). - Fix wicked wlan (bsc#1156920) - Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (bsc#1166933) - Adjust the service to start after network.target wrt bsc#1165266 Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using [email protected] identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - CVE-2015-8041: Using O_WRONLY flag [https://w1.fi/security/2015-5/] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-1853=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2022-1853=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2022-1853=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2022-1853=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-1853=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2022-1853=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-1853=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2022-1853=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-1853=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-1853=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2022-1853=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): wpa_supplicant-2.9-15.22.1 wpa_supplicant-debuginfo-2.9-15.22.1 wpa_supplicant-debugsource-2.9-15.22.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): wpa_supplicant-2.9-15.22.1 wpa_supplicant-debuginfo-2.9-15.22.1 wpa_supplicant-debugsource-2.9-15.22.1 - SUSE OpenStack Cloud 9 (x86_64): wpa_supplicant-2.9-15.22.1 wpa_supplicant-debuginfo-2.9-15.22.1 wpa_supplicant-debugsource-2.9-15.22.1 - SUSE OpenStack Cloud 8 (x86_64): wpa_supplicant-2.9-15.22.1 wpa_supplicant-debuginfo-2.9-15.22.1 wpa_supplicant-debugsource-2.9-15.22.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): wpa_supplicant-2.9-15.22.1 wpa_supplicant-debuginfo-2.9-15.22.1 wpa_supplicant-debugsource-2.9-15.22.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): wpa_supplicant-2.9-15.22.1 wpa_supplicant-debuginfo-2.9-15.22.1 wpa_supplicant-debugsource-2.9-15.22.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.9-15.22.1 wpa_supplicant-debuginfo-2.9-15.22.1 wpa_supplicant-debugsource-2.9-15.22.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.9-15.22.1 wpa_supplicant-debuginfo-2.9-15.22.1 wpa_supplicant-debugsource-2.9-15.22.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): wpa_supplicant-2.9-15.22.1 wpa_supplicant-debuginfo-2.9-15.22.1 wpa_supplicant-debugsource-2.9-15.22.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): wpa_supplicant-2.9-15.22.1 wpa_supplicant-debuginfo-2.9-15.22.1 wpa_supplicant-debugsource-2.9-15.22.1 - HPE Helion Openstack 8 (x86_64): wpa_supplicant-2.9-15.22.1 wpa_supplicant-debuginfo-2.9-15.22.1 wpa_supplicant-debugsource-2.9-15.22.1
References
#1131644 #1131868 #1131870 #1131871 #1131872
#1131874 #1133640 #1144443 #1156920 #1165266
#1166933 #1167331 #1182805 #1194732 #1194733
SLE-14992
Cross- CVE-2015-8041 CVE-2017-13077 CVE-2017-13078
CVE-2017-13079 CVE-2017-13080 CVE-2017-13081
CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088 CVE-2018-14526 CVE-2019-11555
CVE-2019-13377 CVE-2019-9494 CVE-2019-9495
CVE-2019-9497 CVE-2019-9498 CVE-2019-9499
CVE-2022-23303 CVE-2022-23304
CVSS scores:
CVE-2017-13077 (NVD) : 6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13077 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13078 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13078 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13079 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13079 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13080 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13080 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13081 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13081 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13082 (NVD) : 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13082 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13086 (NVD) : 6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13086 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13087 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13087 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-13088 (NVD) : 5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2017-13088 (SUSE): 8.1 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2018-14526 (NVD) : 6.5 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2018-14526 (SUSE): 5.9 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CVE-2019-11555 (NVD) : 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2019-11555 (SUSE): 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2019-13377 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2019-13377 (SUSE): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2019-9494 (NVD) : 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2019-9494 (SUSE): 5.9 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CVE-2019-9495 (NVD) : 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2019-9495 (SUSE): 6.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
CVE-2019-9497 (NVD) : 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2019-9497 (SUSE): 3.1 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2019-9498 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2019-9498 (SUSE): 6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2019-9499 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2019-9499 (SUSE): 6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2022-23303 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-23303 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-23304 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-23304 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
HPE Helion Openstack 8
SUSE Linux Enterprise Server 12-SP2-BCL
SUSE Linux Enterprise Server 12-SP3-BCL
SUSE Linux Enterprise Server 12-SP3-LTSS
SUSE Linux Enterprise Server 12-SP4-LTSS
SUSE Linux Enterprise Server for SAP 12-SP3
SUSE Linux Enterprise Server for SAP 12-SP4
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud Crowbar 9
https://www.suse.com/security/cve/CVE-2015-8041.html
https://www.suse.com/security/cve/CVE-2017-13077.html
https://www.suse.com/security/cve/CVE-2017-13078.html
https://www.suse.com/security/cve/CVE-2017-13079.html
https://www.suse.com/security/cve/CVE-2017-13080.html
https://www.suse.com/security/cve/CVE-2017-13081.html
https://www.suse.com/security/cve/CVE-2017-13082.html
https://www.suse.com/security/cve/CVE-2017-13086.html
https://www.suse.com/security/cve/CVE-2017-13087.html
https://www.suse.com/security/cve/CVE-2017-13088.html
https://www.suse.com/security/cve/CVE-2018-14526.html
https://www.suse.com/security/cve/CVE-2019-11555.html
https://www.suse.com/security/cve/CVE-2019-13377.html
https://www.suse.com/security/cve/CVE-2019-9494.html
https://www.suse.com/security/cve/CVE-2019-9495.html
https://www.suse.com/security/cve/CVE-2019-9497.html
https://www.suse.com/security/cve/CVE-2019-9498.html
https://www.suse.com/security/cve/CVE-2019-9499.html
https://www.suse.com/security/cve/CVE-2022-23303.html
https://www.suse.com/security/cve/CVE-2022-23304.html
https://bugzilla.suse.com/1131644
https://bugzilla.suse.com/1131868
https://bugzilla.suse.com/1131870
https://bugzilla.suse.com/1131871
https://bugzilla.suse.com/1131872
https://bugzilla.suse.com/1131874
https://bugzilla.suse.com/1133640
https://bugzilla.suse.com/1144443
https://bugzilla.suse.com/1156920
https://bugzilla.suse.com/1165266
https://bugzilla.suse.com/1166933
https://bugzilla.suse.com/1167331
https://bugzilla.suse.com/1182805
https://bugzilla.suse.com/1194732
https://bugzilla.suse.com/1194733
Severity
Announcement ID: SUSE-SU-2022:1853-1
Rating: important
News
HOWTOs
Features
Best Linux Backup Solutions to Prevent Data Loss in A Ransomware Attack
ManageEngine Vulnerability Manager Plus: How To Protect Your Enterprise from Security Vulnerabilities
High-Impact DoS, Arbitrary Code Execution, Spoofing Bugs Fixed in Thunderbird 102.9.0
A Guide to Business Cybersecurity: Common Digital Attacks and Precautions
New Linux IceFire Ransomware Variant Discovered: What You Need to Know to Secure Your Systems
About Us
Powered By
