Vulnerabilities in WiFi WPA3 Standard

Security researchers discovered two vulnerabilities in addition to the five original vulnerabilities reported earlier in April 2019 in the WiFi Alliance’s WPA3 WiFi security and authentication standard. Both vulnerabilities allow malicious actors to leak information from WPA3 cryptographic operations and brute-force a WiFi network’s password. The first vulnerability, CVE-2019-13377, impacts WPA3’s Dragonfly handshake when using Brainpool curves. The second vulnerability, CVE-2019-13456, impacts the EAP-pwd implementation in the FreeRADIUS framework. At the time of this writing, the WiFi standard is being reviewed and updated with proper defenses. The NJCCIC recommends users patch systems as updates become available. We encourage users to review the technical details in the Dragonblood white paper and the ZDNet article.

AdvisoryNJCCICWPA3, WiFi