Vulnerabilities > CVE-2019-9494 - Information Exposure Through Discrepancy vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1891.NASL description According to the versions of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9494) - An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. An attacker may force the hostapd process to terminate, performing a denial of service attack. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9496) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-09-16 plugin id 128814 published 2019-09-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128814 title EulerOS 2.0 SP5 : wpa_supplicant (EulerOS-SA-2019-1891) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(128814); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2019-9494", "CVE-2019-9496" ); script_name(english:"EulerOS 2.0 SP5 : wpa_supplicant (EulerOS-SA-2019-1891)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9494) - An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. An attacker may force the hostapd process to terminate, performing a denial of service attack. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9496) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1891 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e4da26ab"); script_set_attribute(attribute:"solution", value: "Update the affected wpa_supplicant packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9494"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/16"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:wpa_supplicant"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["wpa_supplicant-2.6-9.h6.eulerosv2r7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wpa_supplicant"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2019-F409AF9FBE.NASL description Update to version 2.7 from upstream Security fix for CVE-2019-9494 (cache attack against SAE) Security fix for CVE-2019-9495 (cache attack against EAP-pwd) Security fix for CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) Security fix for CVE-2019-9497 (EAP-pwd server not checking for reflection attack) Security fix for CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element) Security fix for CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124252 published 2019-04-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124252 title Fedora 29 : hostapd (2019-f409af9fbe) NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-222.NASL description This update for hostapd fixes the following issues : hostapd was updated to version 2.9 : - SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] - EAP-pwd changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] - fixed FT-EAP initial mobility domain association using PMKSA caching - added configuration of airtime policy - fixed FILS to and RSNE into (Re)Association Response frames - fixed DPP bootstrapping URI parser of channel list - added support for regulatory WMM limitation (for ETSI) - added support for MACsec Key Agreement using IEEE 802.1X/PSK - added experimental support for EAP-TEAP server (RFC 7170) - added experimental support for EAP-TLS server with TLS v1.3 - added support for two server certificates/keys (RSA/ECC) - added AKMSuiteSelector into last seen 2020-03-18 modified 2020-02-18 plugin id 133758 published 2020-02-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133758 title openSUSE Security Update : hostapd (openSUSE-2020-222) (KRACK) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1945.NASL description According to the versions of the wpa_supplicant package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9494) - An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. An attacker may force the hostapd process to terminate, performing a denial of service attack. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9496) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128948 published 2019-09-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128948 title EulerOS Virtualization for ARM 64 3.0.2.0 : wpa_supplicant (EulerOS-SA-2019-1945) NASL family Fedora Local Security Checks NASL id FEDORA_2019-CA49DFD42F.NASL description include fix for : CVE-2019-9494 CVE-2019-9495 CVE-2019-9496 CVE-2019-9497 CVE-2019-9498 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124539 published 2019-05-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124539 title Fedora 30 : 1:wpa_supplicant (2019-ca49dfd42f) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_7E53F9CC656D11E98E67206A8A720317.NASL description Side channel attacks in the SAE implementations used by both hostapd (AP) and wpa_supplicant (infrastructure BSS station/mesh station). SAE (Simultaneous Authentication of Equals) is also known as WPA3-Personal. The discovered side channel attacks may be able to leak information about the used password based on observable timing differences and cache access patterns. This might result in full password recovery when combined with an offline dictionary attack and if the password is not strong enough to protect against dictionary attacks. See https://w1.fi/security/2019-1/sae-side-channel-attacks.txt for a detailed description of the bug. Impact : All wpa_supplicant and hostapd versions with SAE support (CONFIG_SAE=y in the build configuration and SAE being enabled in the runtime configuration). last seen 2020-06-01 modified 2020-06-02 plugin id 124222 published 2019-04-23 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124222 title FreeBSD : FreeBSD -- SAE side-channel attacks (7e53f9cc-656d-11e9-8e67-206a8a720317) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1005.NASL description According to the version of the freeradius package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the last seen 2020-05-03 modified 2020-01-02 plugin id 132598 published 2020-01-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132598 title EulerOS 2.0 SP8 : freeradius (EulerOS-SA-2020-1005) NASL family Fedora Local Security Checks NASL id FEDORA_2019-EBA1109ACD.NASL description Update to version 2.7 from upstream Security fix for CVE-2019-9494 (cache attack against SAE) Security fix for CVE-2019-9495 (cache attack against EAP-pwd) Security fix for CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) Security fix for CVE-2019-9497 (EAP-pwd server not checking for reflection attack) Security fix for CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element) Security fix for CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124554 published 2019-05-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124554 title Fedora 30 : hostapd (2019-eba1109acd) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4430.NASL description Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven) found multiple vulnerabilities in the WPA implementation found in wpa_supplication (station) and hostapd (access point). These vulnerability are also collectively known as last seen 2020-06-01 modified 2020-06-02 plugin id 124038 published 2019-04-15 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124038 title Debian DSA-4430-1 : wpa - security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1779.NASL description According to the version of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9494) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-03 modified 2019-07-25 plugin id 127016 published 2019-07-25 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127016 title EulerOS 2.0 SP8 : wpa_supplicant (EulerOS-SA-2019-1779) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1875.NASL description According to the version of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9494) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-09-16 plugin id 128798 published 2019-09-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128798 title EulerOS 2.0 SP2 : wpa_supplicant (EulerOS-SA-2019-1875) NASL family Fedora Local Security Checks NASL id FEDORA_2019-D03BAE77F5.NASL description Update to version 2.7 from upstream Security fix for CVE-2019-9494 (cache attack against SAE) Security fix for CVE-2019-9495 (cache attack against EAP-pwd) Security fix for CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) Security fix for CVE-2019-9497 (EAP-pwd server not checking for reflection attack) Security fix for CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element) Security fix for CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124250 published 2019-04-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124250 title Fedora 28 : hostapd (2019-d03bae77f5) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2055.NASL description According to the version of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9494) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-09-24 plugin id 129248 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129248 title EulerOS 2.0 SP3 : wpa_supplicant (EulerOS-SA-2019-2055) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_60129EFE656D11E98E67206A8A720317.NASL description Potential side channel attacks in the SAE implementations used by both hostapd and wpa_supplicant (see CVE-2019-9494 and VU#871675). EAP-pwd uses a similar design for deriving PWE from the password and while a specific attack against EAP-pwd is not yet known to be tested, there is no reason to believe that the EAP-pwd implementation would be immune against the type of cache attack that was identified for the SAE implementation. Since the EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) does not support MODP groups, the timing attack described against SAE is not applicable for the EAP-pwd implementation. See https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt for a detailed description of the bug. Impact : All wpa_supplicant and hostapd versions with EAP-pwd support (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled in the runtime configuration). last seen 2020-06-01 modified 2020-06-02 plugin id 124221 published 2019-04-23 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124221 title FreeBSD : FreeBSD -- EAP-pwd side-channel attack (60129efe-656d-11e9-8e67-206a8a720317)
The Hacker News
id | THN:3979199650AD976175EA702C38C334C2 |
last seen | 2019-04-15 |
modified | 2019-04-15 |
published | 2019-04-10 |
reporter | The Hacker News |
source | https://thehackernews.com/2019/04/wpa3-hack-wifi-password.html |
title | Security Flaws in WPA3 Protocol Let Attackers Hack WiFi Password |
References
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.html
- http://packetstormsecurity.com/files/152914/FreeBSD-Security-Advisory-FreeBSD-SA-19-03.wpa.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/
- https://seclists.org/bugtraq/2019/May/40
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc
- https://w1.fi/security/2019-1/
- https://www.synology.com/security/advisory/Synology_SA_19_16
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.html
- https://www.synology.com/security/advisory/Synology_SA_19_16
- https://w1.fi/security/2019-1/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc
- https://seclists.org/bugtraq/2019/May/40
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/
- http://packetstormsecurity.com/files/152914/FreeBSD-Security-Advisory-FreeBSD-SA-19-03.wpa.html