Debian update for wpa

Published: 2019-09-30

Risk	Low
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2019-13377 CVE-2019-16275
CWE-ID	CWE-200 CWE-20
Exploitation vector	Local network
Public exploit	N/A
Vulnerable software Subscribe	wpa (Debian package) Operating systems & Components / Operating system package or component
Vendor	Debian

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU20415

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-13377

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to conduct time-based side-channel attacks on a targeted system.

The vulnerability exists due to insufficient security restrictions during the WPA3's Dragonfly handshake process when using Brainpool curves. A remote in radio range of the access point can observe timing differences and cache access patterns, conduct a side-channel attack and access sensitive information that could be used for full password recovery.

Mitigation

Update the affected package to version: 2:2.7+git20190128+0c1e29f-6+deb10u1.

Vulnerable software versions

wpa (Debian package): 2:2.4-1 - 2:2.7+git20190128+0c1e29f-6

CPE2.3

cpe:2.3:o:debian:wpa:2:2.7+git20190128+0c1e29f-6:*:*:*:*:debian_linux:*:*

External links

http://www.debian.org/security/2019/dsa-4538

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Input validation error

EUVDB-ID: #VU21420