Vulnerabilities > CVE-2019-9494 - Information Exposure Through Discrepancy vulnerability in multiple products

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE

Summary

The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.

Vulnerable Configurations

Part Description Count
Application
W1.Fi
121
Application
Opensuse
2
Application
Synology
59
OS
Fedoraproject
3
OS
Opensuse
1
OS
Freebsd
14

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1891.NASL
    descriptionAccording to the versions of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9494) - An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. An attacker may force the hostapd process to terminate, performing a denial of service attack. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9496) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-09-16
    plugin id128814
    published2019-09-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128814
    titleEulerOS 2.0 SP5 : wpa_supplicant (EulerOS-SA-2019-1891)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128814);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2019-9494",
        "CVE-2019-9496"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : wpa_supplicant (EulerOS-SA-2019-1891)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the wpa_supplicant package installed,
    the EulerOS installation on the remote host is affected by the
    following vulnerabilities :
    
      - The implementations of SAE in hostapd and
        wpa_supplicant are vulnerable to side channel attacks
        as a result of observable timing differences and cache
        access patterns. An attacker may be able to gain leaked
        information from a side channel attack that can be used
        for full password recovery. Both hostapd with SAE
        support and wpa_supplicant with SAE support prior to
        and including version 2.7 are affected.(CVE-2019-9494)
    
      - An invalid authentication sequence could result in the
        hostapd process terminating due to missing state
        validation steps when processing the SAE confirm
        message when in hostapd/AP mode. All version of hostapd
        with SAE support are vulnerable. An attacker may force
        the hostapd process to terminate, performing a denial
        of service attack. Both hostapd with SAE support and
        wpa_supplicant with SAE support prior to and including
        version 2.7 are affected.(CVE-2019-9496)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1891
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e4da26ab");
      script_set_attribute(attribute:"solution", value:
    "Update the affected wpa_supplicant packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9494");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:wpa_supplicant");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["wpa_supplicant-2.6-9.h6.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wpa_supplicant");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-F409AF9FBE.NASL
    descriptionUpdate to version 2.7 from upstream Security fix for CVE-2019-9494 (cache attack against SAE) Security fix for CVE-2019-9495 (cache attack against EAP-pwd) Security fix for CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) Security fix for CVE-2019-9497 (EAP-pwd server not checking for reflection attack) Security fix for CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element) Security fix for CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124252
    published2019-04-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124252
    titleFedora 29 : hostapd (2019-f409af9fbe)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-222.NASL
    descriptionThis update for hostapd fixes the following issues : hostapd was updated to version 2.9 : - SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] - EAP-pwd changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] - fixed FT-EAP initial mobility domain association using PMKSA caching - added configuration of airtime policy - fixed FILS to and RSNE into (Re)Association Response frames - fixed DPP bootstrapping URI parser of channel list - added support for regulatory WMM limitation (for ETSI) - added support for MACsec Key Agreement using IEEE 802.1X/PSK - added experimental support for EAP-TEAP server (RFC 7170) - added experimental support for EAP-TLS server with TLS v1.3 - added support for two server certificates/keys (RSA/ECC) - added AKMSuiteSelector into
    last seen2020-03-18
    modified2020-02-18
    plugin id133758
    published2020-02-18
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133758
    titleopenSUSE Security Update : hostapd (openSUSE-2020-222) (KRACK)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1945.NASL
    descriptionAccording to the versions of the wpa_supplicant package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9494) - An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. An attacker may force the hostapd process to terminate, performing a denial of service attack. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9496) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128948
    published2019-09-17
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128948
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : wpa_supplicant (EulerOS-SA-2019-1945)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-CA49DFD42F.NASL
    descriptioninclude fix for : CVE-2019-9494 CVE-2019-9495 CVE-2019-9496 CVE-2019-9497 CVE-2019-9498 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124539
    published2019-05-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124539
    titleFedora 30 : 1:wpa_supplicant (2019-ca49dfd42f)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_7E53F9CC656D11E98E67206A8A720317.NASL
    descriptionSide channel attacks in the SAE implementations used by both hostapd (AP) and wpa_supplicant (infrastructure BSS station/mesh station). SAE (Simultaneous Authentication of Equals) is also known as WPA3-Personal. The discovered side channel attacks may be able to leak information about the used password based on observable timing differences and cache access patterns. This might result in full password recovery when combined with an offline dictionary attack and if the password is not strong enough to protect against dictionary attacks. See https://w1.fi/security/2019-1/sae-side-channel-attacks.txt for a detailed description of the bug. Impact : All wpa_supplicant and hostapd versions with SAE support (CONFIG_SAE=y in the build configuration and SAE being enabled in the runtime configuration).
    last seen2020-06-01
    modified2020-06-02
    plugin id124222
    published2019-04-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124222
    titleFreeBSD : FreeBSD -- SAE side-channel attacks (7e53f9cc-656d-11e9-8e67-206a8a720317)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1005.NASL
    descriptionAccording to the version of the freeradius package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the
    last seen2020-05-03
    modified2020-01-02
    plugin id132598
    published2020-01-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132598
    titleEulerOS 2.0 SP8 : freeradius (EulerOS-SA-2020-1005)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-EBA1109ACD.NASL
    descriptionUpdate to version 2.7 from upstream Security fix for CVE-2019-9494 (cache attack against SAE) Security fix for CVE-2019-9495 (cache attack against EAP-pwd) Security fix for CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) Security fix for CVE-2019-9497 (EAP-pwd server not checking for reflection attack) Security fix for CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element) Security fix for CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124554
    published2019-05-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124554
    titleFedora 30 : hostapd (2019-eba1109acd)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4430.NASL
    descriptionMathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven) found multiple vulnerabilities in the WPA implementation found in wpa_supplication (station) and hostapd (access point). These vulnerability are also collectively known as
    last seen2020-06-01
    modified2020-06-02
    plugin id124038
    published2019-04-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124038
    titleDebian DSA-4430-1 : wpa - security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1779.NASL
    descriptionAccording to the version of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9494) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2019-07-25
    plugin id127016
    published2019-07-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127016
    titleEulerOS 2.0 SP8 : wpa_supplicant (EulerOS-SA-2019-1779)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1875.NASL
    descriptionAccording to the version of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9494) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-09-16
    plugin id128798
    published2019-09-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128798
    titleEulerOS 2.0 SP2 : wpa_supplicant (EulerOS-SA-2019-1875)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-D03BAE77F5.NASL
    descriptionUpdate to version 2.7 from upstream Security fix for CVE-2019-9494 (cache attack against SAE) Security fix for CVE-2019-9495 (cache attack against EAP-pwd) Security fix for CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) Security fix for CVE-2019-9497 (EAP-pwd server not checking for reflection attack) Security fix for CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element) Security fix for CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124250
    published2019-04-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124250
    titleFedora 28 : hostapd (2019-d03bae77f5)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2055.NASL
    descriptionAccording to the version of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.(CVE-2019-9494) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-09-24
    plugin id129248
    published2019-09-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129248
    titleEulerOS 2.0 SP3 : wpa_supplicant (EulerOS-SA-2019-2055)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_60129EFE656D11E98E67206A8A720317.NASL
    descriptionPotential side channel attacks in the SAE implementations used by both hostapd and wpa_supplicant (see CVE-2019-9494 and VU#871675). EAP-pwd uses a similar design for deriving PWE from the password and while a specific attack against EAP-pwd is not yet known to be tested, there is no reason to believe that the EAP-pwd implementation would be immune against the type of cache attack that was identified for the SAE implementation. Since the EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) does not support MODP groups, the timing attack described against SAE is not applicable for the EAP-pwd implementation. See https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt for a detailed description of the bug. Impact : All wpa_supplicant and hostapd versions with EAP-pwd support (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled in the runtime configuration).
    last seen2020-06-01
    modified2020-06-02
    plugin id124221
    published2019-04-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124221
    titleFreeBSD : FreeBSD -- EAP-pwd side-channel attack (60129efe-656d-11e9-8e67-206a8a720317)

The Hacker News

idTHN:3979199650AD976175EA702C38C334C2
last seen2019-04-15
modified2019-04-15
published2019-04-10
reporterThe Hacker News
sourcehttps://thehackernews.com/2019/04/wpa3-hack-wifi-password.html
titleSecurity Flaws in WPA3 Protocol Let Attackers Hack WiFi Password

References