Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Try our Premium Alert Service
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service

Category:   Application (Generic)  >   wpa_supplicant Vendors:   Malinen, Jouni et al
wpa_supplicant EAPOL-Key Data Processing Flaw Lets Remote Users Deny Service
SecurityTracker Alert ID:  1041438
SecurityTracker URL:
CVE Reference:   CVE-2018-14526   (Links to External Site)
Date:  Aug 9 2018
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in wpa_supplicant. A remote user can cause denial of service conditions on the target system.

A remote user can send specially crafted unauthenticated EAPOL-Key frame data to modify the Group Transient Key (GTK) on the target system, preventing the target system from accepting group-addressed frames.

Systems where WPA2/RSN style of EAPOL-Key construction is used with TKIP negotiated as the pairwise cipher (which should not be done) are affected.

Mathy Vanhoef of the imec-DistriNet research group of KU Leuven reported this vulnerability.

Impact:   A remote user can cause denial of service conditions.
Solution:   The vendor has issued a patch, available at:

The patch will be included in future version 2.7.

The vendor advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (FreeBSD), UNIX (macOS/OS X), UNIX (NetBSD), UNIX (OpenBSD), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 15 2018 (FreeBSD Issues Fix for FreeBSD Kernel) wpa_supplicant EAPOL-Key Data Processing Flaw Lets Remote Users Deny Service
FreeBSD has issued a fix for FreeBSD Kernel for FreeBSD 10.4, 11.1, and 11.2.

 Source Message Contents

Subject:  [oss-security] Unauthenticated EAPOL-Key decryption in wpa_supplicant

Published: August 8, 2018
- CVE-2018-14526
Latest version available from:


A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in

When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.

Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.

Vulnerable versions/configurations

All wpa_supplicant versions.


Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.

Possible mitigation steps

- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
  can be done also on the AP side.

- Merge the following commits to wpa_supplicant and rebuild:

  WPA: Ignore unauthenticated encrypted EAPOL-Key data

  This patch is available from

- Update to wpa_supplicant v2.7 or newer, once available

Jouni Malinen                                            PGP id EFC895FA

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, LLC