Vulnerabilities > CVE-2018-14526 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in multiple products
Attack vector
ADJACENT_NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 3 | |
| OS | 1 | |
| Application | 8 |
Common Weakness Enumeration (CWE)
Nessus
NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0072_WPA_SUPPLICANT.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has wpa_supplicant packages installed that are affected by a vulnerability: - An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information. (CVE-2018-14526) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127276 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127276 title NewStart CGSL CORE 5.04 / MAIN 5.04 : wpa_supplicant Vulnerability (NS-SA-2019-0072) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from ZTE advisory NS-SA-2019-0072. The text # itself is copyright (C) ZTE, Inc. include("compat.inc"); if (description) { script_id(127276); script_version("1.2"); script_cvs_date("Date: 2019/10/17 14:31:04"); script_cve_id("CVE-2018-14526"); script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : wpa_supplicant Vulnerability (NS-SA-2019-0072)"); script_set_attribute(attribute:"synopsis", value: "The remote machine is affected by a vulnerability."); script_set_attribute(attribute:"description", value: "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has wpa_supplicant packages installed that are affected by a vulnerability: - An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information. (CVE-2018-14526) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0072"); script_set_attribute(attribute:"solution", value: "Upgrade the vulnerable CGSL wpa_supplicant packages. Note that updated packages may not be available yet. Please contact ZTE for more information."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-14526"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/08"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"NewStart CGSL Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/ZTE-CGSL/release"); if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux"); if (release !~ "CGSL CORE 5.04" && release !~ "CGSL MAIN 5.04") audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04'); if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu); flag = 0; pkgs = { "CGSL CORE 5.04": [ "wpa_supplicant-2.6-12.el7", "wpa_supplicant-debuginfo-2.6-12.el7" ], "CGSL MAIN 5.04": [ "wpa_supplicant-2.6-12.el7", "wpa_supplicant-debuginfo-2.6-12.el7" ] }; pkg_list = pkgs[release]; foreach (pkg in pkg_list) if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wpa_supplicant"); }NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-1122.NASL description An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.(CVE-2018-14526) last seen 2020-05-15 modified 2018-12-10 plugin id 119505 published 2018-12-10 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119505 title Amazon Linux 2 : wpa_supplicant (ALAS-2018-1122) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux 2 Security Advisory ALAS-2018-1122. # include("compat.inc"); if (description) { script_id(119505); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/13"); script_cve_id("CVE-2018-14526"); script_xref(name:"ALAS", value:"2018-1122"); script_name(english:"Amazon Linux 2 : wpa_supplicant (ALAS-2018-1122)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux 2 host is missing a security update." ); script_set_attribute( attribute:"description", value: "An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.(CVE-2018-14526)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2018-1122.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update wpa_supplicant' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:wpa_supplicant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:wpa_supplicant-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/08"); script_set_attribute(attribute:"patch_publication_date", value:"2018/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "2") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"AL2", reference:"wpa_supplicant-2.6-12.amzn2")) flag++; if (rpm_check(release:"AL2", reference:"wpa_supplicant-debuginfo-2.6-12.amzn2")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wpa_supplicant / wpa_supplicant-debuginfo"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-3107.NASL description An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * wpa_supplicant: Unauthenticated EAPOL-Key decryption in wpa_supplicant (CVE-2018-14526) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 118529 published 2018-10-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118529 title RHEL 7 : wpa_supplicant (RHSA-2018:3107) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:3107. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(118529); script_version("1.5"); script_cvs_date("Date: 2019/10/24 15:35:45"); script_cve_id("CVE-2018-14526"); script_xref(name:"RHSA", value:"2018:3107"); script_name(english:"RHEL 7 : wpa_supplicant (RHSA-2018:3107)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * wpa_supplicant: Unauthenticated EAPOL-Key decryption in wpa_supplicant (CVE-2018-14526) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section." ); # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3395ff0b" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:3107" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-14526" ); script_set_attribute( attribute:"solution", value: "Update the affected wpa_supplicant and / or wpa_supplicant-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:wpa_supplicant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:wpa_supplicant-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/08"); script_set_attribute(attribute:"patch_publication_date", value:"2018/10/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:3107"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"wpa_supplicant-2.6-12.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"wpa_supplicant-2.6-12.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"wpa_supplicant-debuginfo-2.6-12.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"wpa_supplicant-debuginfo-2.6-12.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wpa_supplicant / wpa_supplicant-debuginfo"); } }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1414.NASL description According to the versions of the wpa_supplicant package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.(CVE-2018-14526) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used pairwise key (PTK-TK) by retransmitting Fast BSS Transition (FT) Reassociation Requests.(CVE-2017-13082) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a group key handshake.(CVE-2017-13080) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13081) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used Tunneled Direct-Link Setup (TDLS) Peerkey (TPK) key during a TDLS handshake.(CVE-2017-13086) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13079) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a 4-way handshake.(CVE-2017-13078) - A new exploitation technique called key reinstallation attacks (KRACKs) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used pairwise key (PTK-TK) during a 4-way handshake.(CVE-2017-13077) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used integrity group key (IGTK) during a Wireless Network Management (WNM) Sleep Mode handshake.(CVE-2017-13088) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a Wireless Network Management (WNM) Sleep Mode handshake.(CVE-2017-13087) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124917 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124917 title EulerOS Virtualization for ARM 64 3.0.1.0 : wpa_supplicant (EulerOS-SA-2019-1414) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(124917); script_version("1.4"); script_cvs_date("Date: 2020/01/17"); script_cve_id( "CVE-2017-13077", "CVE-2017-13078", "CVE-2017-13079", "CVE-2017-13080", "CVE-2017-13081", "CVE-2017-13082", "CVE-2017-13086", "CVE-2017-13087", "CVE-2017-13088", "CVE-2018-14526" ); script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : wpa_supplicant (EulerOS-SA-2019-1414)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS Virtualization for ARM 64 host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the wpa_supplicant package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.(CVE-2018-14526) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used pairwise key (PTK-TK) by retransmitting Fast BSS Transition (FT) Reassociation Requests.(CVE-2017-13082) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a group key handshake.(CVE-2017-13080) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13081) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used Tunneled Direct-Link Setup (TDLS) Peerkey (TPK) key during a TDLS handshake.(CVE-2017-13086) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13079) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a 4-way handshake.(CVE-2017-13078) - A new exploitation technique called key reinstallation attacks (KRACKs) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used pairwise key (PTK-TK) during a 4-way handshake.(CVE-2017-13077) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used integrity group key (IGTK) during a Wireless Network Management (WNM) Sleep Mode handshake.(CVE-2017-13088) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a Wireless Network Management (WNM) Sleep Mode handshake.(CVE-2017-13087) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1414 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a63927e7"); script_set_attribute(attribute:"solution", value: "Update the affected wpa_supplicant packages."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:wpa_supplicant"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0"); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu); flag = 0; pkgs = ["wpa_supplicant-2.6-9.h1"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wpa_supplicant"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-1088-1.NASL description This update for wpa_supplicant fixes the following issues : This security issue was fixed : CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key messages was not checked, leading to a decryption oracle. An attacker within range of the Access Point and client could have abused the vulnerability to recover sensitive information (bsc#1104205). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124404 published 2019-04-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124404 title SUSE SLED12 / SLES12 Security Update : wpa_supplicant (SUSE-SU-2019:1088-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2019:1088-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(124404); script_version("1.3"); script_cvs_date("Date: 2020/01/21"); script_cve_id("CVE-2018-14526"); script_name(english:"SUSE SLED12 / SLES12 Security Update : wpa_supplicant (SUSE-SU-2019:1088-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for wpa_supplicant fixes the following issues : This security issue was fixed : CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key messages was not checked, leading to a decryption oracle. An attacker within range of the Access Point and client could have abused the vulnerability to recover sensitive information (bsc#1104205). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1104205" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1109209" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-14526/" ); # https://www.suse.com/support/update/announcement/2019/suse-su-20191088-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a4a7d664" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE OpenStack Cloud 7:zypper in -t patch SUSE-OpenStack-Cloud-7-2019-1088=1 SUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-1088=1 SUSE Linux Enterprise Server 12-SP4:zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-1088=1 SUSE Linux Enterprise Server 12-SP3:zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-1088=1 SUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-1088=1 SUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-1088=1 SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-1088=1 SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2019-1088=1 SUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-1088=1 SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2019-1088=1 SUSE Enterprise Storage 4:zypper in -t patch SUSE-Storage-4-2019-1088=1" ); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:wpa_supplicant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:wpa_supplicant-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:wpa_supplicant-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/08"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0|1|2|3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1/2/3/4", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP3/4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"wpa_supplicant-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"wpa_supplicant-debuginfo-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"wpa_supplicant-debugsource-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"4", reference:"wpa_supplicant-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"4", reference:"wpa_supplicant-debuginfo-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"4", reference:"wpa_supplicant-debugsource-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"wpa_supplicant-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"wpa_supplicant-debuginfo-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"wpa_supplicant-debugsource-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"wpa_supplicant-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"wpa_supplicant-debuginfo-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"wpa_supplicant-debugsource-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"wpa_supplicant-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"wpa_supplicant-debuginfo-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"wpa_supplicant-debugsource-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"wpa_supplicant-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"wpa_supplicant-debuginfo-2.6-15.10.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"wpa_supplicant-debugsource-2.6-15.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"wpa_supplicant-2.6-15.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"wpa_supplicant-debuginfo-2.6-15.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"wpa_supplicant-debugsource-2.6-15.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"wpa_supplicant-2.6-15.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"wpa_supplicant-debuginfo-2.6-15.10.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"wpa_supplicant-debugsource-2.6-15.10.1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wpa_supplicant"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1462.NASL description The following vulnerability was discovered in wpa_supplicant. CVE-2018-14526: | An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 | through 2.6. Under certain conditions, the integrity of EAPOL-Key | messages is not checked, leading to a decryption oracle. An attacker | within range of the Access Point and client can abuse the | vulnerability to recover sensitive information. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 111618 published 2018-08-10 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111618 title Debian DLA-1462-1 : wpa security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1345.NASL description This update for wpa_supplicant fixes the following issues : This security issue was fixed : - CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key messages was not checked, leading to a decryption oracle. An attacker within range of the Access Point and client could have abused the vulnerability to recover sensitive information (bsc#1104205). This non-security issue was fixed : - Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209). This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 124710 published 2019-05-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124710 title openSUSE Security Update : wpa_supplicant (openSUSE-2019-1345) NASL family Firewalls NASL id PFSENSE_SA-18_08.NASL description According to its self-reported version number, the remote pfSense install is a version 2.3.x prior or equal to 2.3.5-p2 or 2.4.x prior to 2.4.3-p1. It is, therefore, affected by multiple vulnerabilities: - Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. (CVE-2018-3620) - An authenticated command injection vulnerability exists in status_interfaces.php via dhcp_relinquish_lease() in pfSense before 2.4.4. This allows an authenticated WebGUI user with privileges for the affected page to execute commands in the context of the root user when submitting a request to relinquish a DHCP lease for an interface which is configured to obtain its address via DHCP. (CVE-2018-16055) - a denial of service vulnerability exists in the ip fragment reassembly code due to excessive system resource consumption. This issue can allow a remote attacker who is able to send arbitrary ip fragments to cause the machine to consume excessive resources. (CVE-2018-6923) last seen 2020-06-01 modified 2020-06-02 plugin id 119887 published 2018-12-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119887 title pfSense 2.3.x <= 2.3.5-p2 / 2.4.x < 2.4.4 Multiple Vulnerabilities (SA-18_06 / SA-18_07 / SA-18_08) NASL family Fedora Local Security Checks NASL id FEDORA_2018-C43C1EE06F.NASL description fix for CVE-2018-14526 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-08-24 plugin id 112101 published 2018-08-24 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112101 title Fedora 27 : 1:wpa_supplicant (2018-c43c1ee06f) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-839.NASL description hostapd was updated to fix following security issue : - CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data (bsc#1104205) last seen 2020-05-31 modified 2019-03-27 plugin id 123352 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123352 title openSUSE Security Update : hostapd (openSUSE-2019-839) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1194.NASL description According to the version of the wpa_supplicant package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.(CVE-2018-14526) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 123880 published 2019-04-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123880 title EulerOS Virtualization 2.5.4 : wpa_supplicant (EulerOS-SA-2019-1194) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1293.NASL description hostapd was updated to fix following security issue : - CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data (bsc#1104205) last seen 2020-06-05 modified 2018-10-29 plugin id 118481 published 2018-10-29 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118481 title openSUSE Security Update : hostapd (openSUSE-2018-1293) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-3480-1.NASL description This update for wpa_supplicant provides the following fixes : This security issues was fixe : CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key messages was not checked, leading to a decryption oracle. An attacker within range of the Access Point and client could have abused the vulnerability to recover sensitive information (bsc#1104205) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-02 plugin id 120147 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120147 title SUSE SLED15 / SLES15 Security Update : wpa_supplicant (SUSE-SU-2018:3480-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6BEDC8639FBE11E8945F206A8A720317.NASL description SO-AND-SO reports : A vulnerability was found in how wpa_supplicant processes EAPOL-Key frames. It is possible for an attacker to modify the frame in a way that makes wpa_supplicant decrypt the Key Data field without requiring a valid MIC value in the frame, i.e., without the frame being authenticated. This has a potential issue in the case where WPA2/RSN style of EAPOL-Key construction is used with TKIP negotiated as the pairwise cipher. It should be noted that WPA2 is not supposed to be used with TKIP as the pairwise cipher. Instead, CCMP is expected to be used and with that pairwise cipher, this vulnerability is not applicable in practice. When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data field is encrypted using RC4. This vulnerability allows unauthenticated EAPOL-Key frames to be processed and due to the RC4 design, this makes it possible for an attacker to modify the plaintext version of the Key Data field with bitwise XOR operations without knowing the contents. This can be used to cause a denial of service attack by modifying GTK/IGTK on the station (without the attacker learning any of the keys) which would prevent the station from accepting received group-addressed frames. Furthermore, this might be abused by making wpa_supplicant act as a decryption oracle to try to recover some of the Key Data payload (GTK/IGTK) to get knowledge of the group encryption keys. Full recovery of the group encryption keys requires multiple attempts (128 connection attempts per octet) and each attempt results in disconnection due to a failure to complete the 4-way handshake. These failures can result in the AP/network getting disabled temporarily or even permanently (requiring user action to re-enable) which may make it impractical to perform the attack to recover the keys before the AP has already changes the group keys. By default, wpa_supplicant is enforcing at minimum a ten second wait time between each failed connection attempt, i.e., over 20 minutes waiting to recover each octet while hostapd AP implementation uses 10 minute default for GTK rekeying when using TKIP. With such timing behavior, practical attack would need large number of impacted stations to be trying to connect to the same AP to be able to recover sufficient information from the GTK to be able to determine the key before it gets changed. last seen 2020-06-01 modified 2020-06-02 plugin id 111720 published 2018-08-15 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111720 title FreeBSD : wpa_supplicant -- unauthenticated encrypted EAPOL-Key data (6bedc863-9fbe-11e8-945f-206a8a720317) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1316.NASL description This update for wpa_supplicant provides the following fixes : This security issues was fixe : - CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key messages was not checked, leading to a decryption oracle. An attacker within range of the Access Point and client could have abused the vulnerability to recover sensitive information (bsc#1104205) These non-security issues were fixed : - Fix reading private key passwords from the configuration file. (bsc#1099835) - Enable PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network. (bsc#1109209) - compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - Enabled timestamps in log file when being invoked by systemd service file (bsc#1080798). - Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-05 modified 2018-10-29 plugin id 118487 published 2018-10-29 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118487 title openSUSE Security Update : wpa_supplicant (openSUSE-2018-1316) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-871.NASL description This update for wpa_supplicant provides the following fixes : This security issues was fixe : - CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key messages was not checked, leading to a decryption oracle. An attacker within range of the Access Point and client could have abused the vulnerability to recover sensitive information (bsc#1104205) These non-security issues were fixed : - Fix reading private key passwords from the configuration file. (bsc#1099835) - Enable PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network. (bsc#1109209) - compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - Enabled timestamps in log file when being invoked by systemd service file (bsc#1080798). - Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 123362 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123362 title openSUSE Security Update : wpa_supplicant (openSUSE-2019-871) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-3107.NASL description An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * wpa_supplicant: Unauthenticated EAPOL-Key decryption in wpa_supplicant (CVE-2018-14526) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 118993 published 2018-11-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118993 title CentOS 7 : wpa_supplicant (CESA-2018:3107) NASL family Scientific Linux Local Security Checks NASL id SL_20181030_WPA_SUPPLICANT_ON_SL7_X.NASL description Security Fix(es) : - wpa_supplicant: Unauthenticated EAPOL-Key decryption in wpa_supplicant (CVE-2018-14526) last seen 2020-03-18 modified 2018-11-27 plugin id 119202 published 2018-11-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119202 title Scientific Linux Security Update : wpa_supplicant on SL7.x x86_64 (20181030) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1317.NASL description According to the version of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.(CVE-2018-14526) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-09-27 plugin id 117760 published 2018-09-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117760 title EulerOS 2.0 SP2 : wpa_supplicant (EulerOS-SA-2018-1317) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1318.NASL description According to the version of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.(CVE-2018-14526) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-09-27 plugin id 117761 published 2018-09-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117761 title EulerOS 2.0 SP3 : wpa_supplicant (EulerOS-SA-2018-1318) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-3107.NASL description From Red Hat Security Advisory 2018:3107 : An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * wpa_supplicant: Unauthenticated EAPOL-Key decryption in wpa_supplicant (CVE-2018-14526) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 118772 published 2018-11-07 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118772 title Oracle Linux 7 : wpa_supplicant (ELSA-2018-3107) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1422.NASL description According to the versions of the wpa_supplicant package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13079) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13081) - An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.(CVE-2018-14526) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used integrity group key (IGTK) during a Wireless Network Management (WNM) Sleep Mode handshake.(CVE-2017-13088) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a group key handshake.(CVE-2017-13080) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a Wireless Network Management (WNM) Sleep Mode handshake.(CVE-2017-13087) - A new exploitation technique called key reinstallation attacks (KRACKs) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used pairwise key (PTK-TK) during a 4-way handshake.(CVE-2017-13077) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a 4-way handshake.(CVE-2017-13078) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used pairwise key (PTK-TK) by retransmitting Fast BSS Transition (FT) Reassociation Requests.(CVE-2017-13082) - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used Tunneled Direct-Link Setup (TDLS) Peerkey (TPK) key during a TDLS handshake.(CVE-2017-13086) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124925 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124925 title EulerOS Virtualization 3.0.1.0 : wpa_supplicant (EulerOS-SA-2019-1422) NASL family Fedora Local Security Checks NASL id FEDORA_2018-41DFADD21A.NASL description fix for CVE-2018-14526 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120378 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120378 title Fedora 28 : 1:wpa_supplicant (2018-41dfadd21a)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
- https://papers.mathyvanhoef.com/woot2018.pdf
- http://www.securitytracker.com/id/1041438
- https://lists.debian.org/debian-lts-announce/2018/08/msg00009.html
- https://security.FreeBSD.org/advisories/FreeBSD-SA-18:11.hostapd.asc
- https://usn.ubuntu.com/3745-1/
- https://access.redhat.com/errata/RHSA-2018:3107
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00013.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-344983.pdf
- https://www.us-cert.gov/ics/advisories/icsa-19-344-01