The implementations of EAP-PWD in wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit
CVE-2019-9499

8.1HIGH

Key Information:

Vendor

Wi-fi Alliance

Status
Hostapd With Eap-pwd Support
WPa Supplicant With Eap-pwd Support
Hostapd With Sae Support
WPa Supplicant With Sae Support
Vendor
CVE Published:
17 April 2019

What is CVE-2019-9499?

The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

hostapd with EAP-pwd support 2.7

hostapd with SAE support 2.4

wpa_supplicant with EAP-pwd support 2.7

References

https://w1.fi/security/2019-4/
x_refsource_CONFIRM
https://www.synology.com/security/advisory/Synology_SA_19_16
x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.