QwikSec

Security Database

CVE

CWE

Training

CVE-2019-9495

Published: Apr 17, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

Vendor	Product	Versions
Wi-Fi Alliance	hostapd with EAP-pwd support	affected `2.7 - <= 2.7`
Wi-Fi Alliance	wpa_supplicant with EAP-pwd support	affected `2.7 - <= 2.7`

Weaknesses (CWE)

References

https://w1.fi/security/2019-2/

x_refsource_CONFIRM

https://www.synology.com/security/advisory/Synology_SA_19_16

x_refsource_CONFIRM

FEDORA-2019-d03bae77f5

vendor-advisory

x_refsource_FEDORA

FEDORA-2019-f409af9fbe

vendor-advisory

x_refsource_FEDORA

FEDORA-2019-eba1109acd

vendor-advisory

x_refsource_FEDORA

FreeBSD-SA-19:03

vendor-advisory

x_refsource_FREEBSD

20190515 FreeBSD Security Advisory FreeBSD-SA-19:03.wpa

mailing-list

x_refsource_BUGTRAQ

http://packetstormsecurity.com/files/152914/FreeBSD-Security-Advisory-FreeBSD-SA-19-03.wpa.html

x_refsource_MISC

[debian-lts-announce] 20190731 [SECURITY] [DLA 1867-1] wpa security update

mailing-list

x_refsource_MLIST

openSUSE-SU-2020:0222

vendor-advisory

x_refsource_SUSE

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.