SB2019081552 - Information disclosure in hostapd (Alpine package)
Published: August 15, 2019
Security Bulletin ID
SB2019081552
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Adjecent network
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2019-13377)
The vulnerability allows a remote attacker to conduct time-based side-channel attacks on a targeted system.
The vulnerability exists due to insufficient security restrictions during the WPA3's Dragonfly handshake process when using Brainpool curves. A remote in radio range of the access point can observe timing differences and cache access patterns, conduct a side-channel attack and access sensitive information that could be used for full password recovery.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=031621e2cf39f9441cb620e4ebfb5261276e7978
- https://git.alpinelinux.org/aports/commit/?id=b7d037c2a9b8f72b1230453919246b1637028ada
- https://git.alpinelinux.org/aports/commit/?id=c5978d4bc83c3c055db7df6a78ba76b748742e2c
- https://git.alpinelinux.org/aports/commit/?id=3cd64c67f1c3365cc8ae201d0206327198d4b5a7