CVE-2019-9497

NameCVE-2019-9497
DescriptionThe implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. This vulnerability may allow an attacker to complete EAP-PWD authentication without knowing the password. However, unless the crypto library does not implement additional checks for the EC point, the attacker will not be able to derive the session key or complete the key exchange. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1867-1, DSA-4430-1
NVD severitymedium
Debian Bugs926801

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wpa (PTS)jessie2.3-1+deb8u5vulnerable
jessie (security)2.3-1+deb8u9fixed
stretch (security), stretch2:2.4-1+deb9u4fixed
buster, buster (security)2:2.7+git20190128+0c1e29f-6+deb10u1fixed
bullseye, sid2:2.9-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wpasource(unstable)2:2.7+git20190128+0c1e29f-4926801
wpasourcejessie2.3-1+deb8u8DLA-1867-1
wpasourcestretch2:2.4-1+deb9u3DSA-4430-1

Notes

https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt
Patches: https://w1.fi/security/2019-4/

Search for package or bug name: Reporting problems