CVE-2019-9494
17.04.2019, 14:29
The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.Enginsight
| Vendor | Product | Version |
|---|---|---|
| w1.fi | hostapd | 𝑥 ≤ 2.7 |
| w1.fi | wpa_supplicant | 𝑥 ≤ 2.7 |
| opensuse | backports_sle | 15.0 |
| opensuse | backports_sle | 15.0:sp1 |
| opensuse | leap | 15.1 |
| synology | radius_server | 3.0 |
| synology | router_manager | 𝑥 < 1.2.3-8087 |
| freebsd | freebsd | 11.2 |
| freebsd | freebsd | 11.2:p2 |
| freebsd | freebsd | 11.2:p3 |
| freebsd | freebsd | 11.2:p4 |
| freebsd | freebsd | 11.2:p5 |
| freebsd | freebsd | 11.2:p6 |
| freebsd | freebsd | 11.2:p7 |
| freebsd | freebsd | 11.2:p8 |
| freebsd | freebsd | 11.2:p9 |
| freebsd | freebsd | 11.2:rc3 |
| freebsd | freebsd | 12.0 |
| freebsd | freebsd | 12.0:p1 |
| freebsd | freebsd | 12.0:p2 |
| freebsd | freebsd | 12.0:p3 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-208 - Observable Timing DiscrepancyTwo separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
- CWE-203 - Observable DiscrepancyThe product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
References