CVE-2019-9494 — Observable Timing Discrepancy in Alliance Hostapd With SAE Support

CWE-208 — Observable Timing Discrepancy CWE-524 — Use of Cache Containing Sensitive Information CWE-203 — Observable Discrepancy CWE-385 — Covert Timing Channel CWE-200 — Sensitive Information Exposure CWE-924 — Improper Enforcement of Message Integrity During Transmission in a Communication Channel16 documents9 sources

Severity

5.9MEDIUMNVD

EPSS

1.4%

top 19.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Synology Router Manager Wi-fi Alliance Hostapd With SAE Support Wi-fi Alliance WPA Supplicant With SAE Support +7 more

Timeline

PublishedApr 17

Latest updateMay 13

Description

The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages8 packages

▶CVEListV5wi-fi_alliance/hostapd_with_sae_support2.7 — 2.7

▶NVDw1.fi/hostapd2.7

▶CVEListV5wi-fi_alliance/wpa_supplicant_with_sae_support2.7 — 2.7

▶NVDsynology/router_manager< 1.2.3-8087

▶NVDw1.fi/wpa_supplicant2.7

Also affects: Freebsd 11.2, 12.0, Fedora 28, 29, 30

Patches

Patch: w1.fi ↗Patch: w1.fi ↗

🔴Vulnerability Details

GHSA

GHSA-cvqc-p7v4-m9pm: The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache↗2022-05-13

▶

OSV

CVE-2019-9494: The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache↗2019-04-17

▶

CVEList

The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side-channel attacks↗2019-04-17

▶

📋Vendor Advisories

Red Hat

wpa_supplicant: SAE side channel attacks as a result of cache access patterns↗2022-01-17

▶

Microsoft

The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an inco↗2022-01-11

▶

Red Hat

freeradius: eap-pwd: Information leak due to aborting when needing more than 10 iterations↗2019-08-03

▶

BSD

FreeBSD-SA-19:03.wpa: Multiple vulnerabilities in hostapd and wpa_supplicant↗2019-05-14

▶

Red Hat

wpa_supplicant: SAE Timing-based and Cache-based side-channel attack against WPA3's Dragonfly handshake↗2019-04-10

▶

💬Community

Bugzilla

CVE-2019-9495 wpa_supplicant: EAP-pwd cache side-channel attack↗2019-04-11

▶

Bugzilla

CVE-2019-9494 hostapd: wpa_supplicant: SAE Timing-based and Cache-based side-channel attack against WPA3's Dragonfly handshake [epel-all]↗2019-04-11

▶

Bugzilla

CVE-2019-9494 hostapd: wpa_supplicant: SAE Timing-based and Cache-based side-channel attack against WPA3's Dragonfly handshake [fedora-all]↗2019-04-11

▶

Bugzilla

CVE-2019-9494 wpa_supplicant: SAE Timing-based and Cache-based side-channel attack against WPA3's Dragonfly handshake↗2019-04-11

▶

Bugzilla

CVE-2019-9494 wpa_supplicant: SAE Timing-based and Cache-based side-channel attack against WPA3's Dragonfly handshake [fedora-all]↗2019-04-11

▶