Side-Channel Vulnerability in Hostapd and WPA Supplicant by the Vendor
CVE-2019-13377

5.9MEDIUM

Key Information:

Vendor

W1.fi

Status
Hostapd
Vendor
CVE Published:
15 August 2019

What is CVE-2019-13377?

The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant versions 2.x through 2.8 exhibit vulnerabilities that can be exploited through side-channel attacks. These vulnerabilities stem from observable timing differences and cache access patterns when using Brainpool curves. An attacker can take advantage of these weaknesses to obtain sensitive information, potentially leading to full password recovery.

References

https://w1.fi/cgit/hostap/commit/?id=147bf7b88a9c231322b5...
x_refsource_MISC
https://w1.fi/cgit/hostap/commit/?id=cd803299ca485eb857e3...
x_refsource_MISC
https://usn.ubuntu.com/4098-1/
x_refsource_CONFIRM

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.