The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
03 Nov 2021, 19:53
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-203 | |
References | (FREEBSD) https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc - Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2019/07/msg00030.html - Mailing List, Third Party Advisory | |
References | (BUGTRAQ) https://seclists.org/bugtraq/2019/May/40 - Mailing List, Third Party Advisory | |
References | (MISC) http://packetstormsecurity.com/files/152914/FreeBSD-Security-Advisory-FreeBSD-SA-19-03.wpa.html - Third Party Advisory, VDB Entry | |
References | (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.html - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://www.synology.com/security/advisory/Synology_SA_19_16 - Third Party Advisory | |
CPE | cpe:2.3:o:freebsd:freebsd:11.2:p5:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:12.0:p2:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:12.0:p1:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:11.2:p4:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:11.2:-:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:11.2:p2:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:11.2:p7:*:*:*:*:*:* cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* cpe:2.3:a:synology:router_manager:*:*:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:12.0:p3:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:12.0:-:*:*:*:*:*:* cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:11.2:p3:*:*:*:*:*:* cpe:2.3:a:synology:radius_server:3.0:*:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:11.2:rc3:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:11.2:p9:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:11.2:p8:*:*:*:*:*:* cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:11.2:p6:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
Information
Published : 2019-04-17 14:29
Updated : 2024-02-04 20:20
NVD link : CVE-2019-9495
Mitre link : CVE-2019-9495
CVE.ORG link : CVE-2019-9495
JSON object : View
Products Affected
opensuse
- backports_sle
- leap
w1.fi
- hostapd
- wpa_supplicant
freebsd
- freebsd
fedoraproject
- fedora
debian
- debian_linux
synology
- router_manager
- radius_server