CVE-2019-9498

Description

The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

CVSS Metrics

• v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.79%• Percentile: 74%

Techniques & Countermeasures

• CWE-287•Improper Authentication

  When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

• CWE-346•Origin Validation Error

  The product does not properly verify that the source of data or communication is valid.

Affected Systems

• debian•debian_linux

  8.0

• fedoraproject•fedora

  28 | 29 | 30

• freebsd•freebsd

  ≥ 11.0, ≤ 11.1 | 11.2 | 11.2:p13 | 11.2:p2 | 11.2:p3 | 11.2:p4 | 11.2:p5 | 11.2:p6 | 11.2:p7 | 11.2:p8 | 11.2:p9 | 12.0 | 12.0:p1 | 12.0:p2 | 12.0:p3

• opensuse•backports_sle

  15.0 | 15.0:sp1

• opensuse•leap

  15.1

• synology•radius_server

  3.0

• synology•router_manager

  1.2

• w1.fi•hostapd

  ≤ 2.4 | ≥ 2.5, ≤ 2.7

• w1.fi•wpa_supplicant

  ≤ 2.4 | ≥ 2.5, ≤ 2.7

• wi-fi alliance•hostapd with eap-pwd support

  2.7

• wi-fi alliance•hostapd with sae support

  2.4

• wi-fi alliance•wpa_supplicant with eap-pwd support

  2.7

• wi-fi alliance•wpa_supplicant with sae support

  2.4

References (9)

• https://w1.fi/security/2019-4/
• https://www.synology.com/security/advisory/Synology_SA_19_16
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/
• https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc
• https://seclists.org/bugtraq/2019/May/40
• https://lists.debian.org/debian-lts-announce/2019/07/msg00030.html
• http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.html