Debian: DLA-1867-1 Critical: wpa Authentication Issues Overview
debian lts
July 31, 2019
Several vulnerabilities were discovered in WPA supplicant / hostapd
Topics Covered
Summary
CVE-2019-9495
Cache-based side-channel attack against the EAP-pwd implementation:
an attacker able to run unprivileged code on the target machine
(including for example javascript code in a browser on a smartphone)
during the handshake could deduce enough information to discover the
password in a dictionary attack.
This issue has only very partially been mitigated against by reducing
measurable timing differences during private key operations. More
work is required to fully mitigate this vulnerability.
CVE-2019-9497
Reflection attack against EAP-pwd server implementation: a lack of
validation of received scalar and elements value in the
EAP-pwd-Commit messages could have resulted in attacks that would
have been able to complete EAP-pwd authentication exchange without
the attacker having to know the password. This did not result in the
attacker being able to derive the session key, complete the following
key exchange and access the network.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
<pre><font face="Courier">Package: wpa
Version: 2.3-1+deb8u8
CVE ID: CVE-2019-9495 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499
Debian Bug: 927463
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!