Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-9495

The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

Published

2019-04-17T14:29:03.887

Last Modified

2024-11-21T04:51:43.797

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.7 (LOW)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-524
Type: Primary
CWE-203

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	w1.fi	hostapd	≤ 2.7	Yes
Application	w1.fi	wpa_supplicant	≤ 2.7	Yes
Operating System	fedoraproject	fedora	28	Yes
Operating System	fedoraproject	fedora	29	Yes
Operating System	fedoraproject	fedora	30	Yes
Application	opensuse	backports_sle	15.0	Yes
Application	opensuse	backports_sle	15.0	Yes
Operating System	opensuse	leap	15.1	Yes
Application	synology	radius_server	3.0	Yes
Application	synology	router_manager	< 1.2.3-8017	Yes
Operating System	debian	debian_linux	8.0	Yes
Operating System	freebsd	freebsd	11.2	Yes
Operating System	freebsd	freebsd	11.2	Yes
Operating System	freebsd	freebsd	11.2	Yes
Operating System	freebsd	freebsd	11.2	Yes
Operating System	freebsd	freebsd	11.2	Yes
Operating System	freebsd	freebsd	11.2	Yes
Operating System	freebsd	freebsd	11.2	Yes
Operating System	freebsd	freebsd	11.2	Yes
Operating System	freebsd	freebsd	11.2	Yes
Operating System	freebsd	freebsd	11.2	Yes
Operating System	freebsd	freebsd	12.0	Yes
Operating System	freebsd	freebsd	12.0	Yes
Operating System	freebsd	freebsd	12.0	Yes
Operating System	freebsd	freebsd	12.0	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.html Mailing List, Third Party Advisory ([email protected])
http://packetstormsecurity.com/files/152914/FreeBSD-Security-Advisory-FreeBSD-SA-19-03.wpa.html Third Party Advisory, VDB Entry ([email protected])
https://lists.debian.org/debian-lts-announce/2019/07/msg00030.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/ ([email protected])
https://seclists.org/bugtraq/2019/May/40 Mailing List, Third Party Advisory ([email protected])
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc Third Party Advisory ([email protected])
https://w1.fi/security/2019-2/ Patch, Vendor Advisory ([email protected])
https://www.synology.com/security/advisory/Synology_SA_19_16 Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/152914/FreeBSD-Security-Advisory-FreeBSD-SA-19-03.wpa.html Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2019/07/msg00030.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/ (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2019/May/40 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://w1.fi/security/2019-2/ Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.synology.com/security/advisory/Synology_SA_19_16 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)