SB2020021601 - OpenSUSE Linux update for hostapd

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020021601

SB2020021601 - OpenSUSE Linux update for hostapd

Published: February 16, 2020

Security Bulletin ID SB2020021601
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 57% Medium 29% Low 14%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Key management errors (CVE-ID: CVE-2017-13082)

The vulnerability allows an adjacent attacker to force a supplicant to reinstall a previously used pairwise key.

The weakness exists in the processing of the 802.11i 4-way handshake messages of the WPA and WPA2 protocols due to ambiguities in the processing of associated protocol messages. An adjacent attacker can use man-in-the-middle techniques to retransmit previously used message exchanges between supplicant and authenticator.

2) Information disclosure (CVE-ID: CVE-2019-9494)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the implementations of SAE are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. A remote attacker can gain leaked information from a side channel attack that can be used for full password recovery.


3) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2019-9495)

The vulnerability allows a remote attacker to gain access to sensitive information on the target system.

The vulnerability exists due to the implementations of EAP-PWD are vulnerable to side-channel attacks as a result of cache access patterns. A remote attacker with ability to install and execute applications can crack weak passwords when memory access patterns are visible in a shared cache.


4) Improper Authentication (CVE-ID: CVE-2019-9496)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. A remote attacker can bypass authentication process, force the hostapd process to terminate and perform a denial of service (DoS) attack on the target system.


5) Improper Authentication (CVE-ID: CVE-2019-9497)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. A remote attacker can complete EAP-PWD authentication without knowing the password and gain unauthorized access to the application.

However, unless the crypto library does not implement additional checks for the EC point, the attacker will not be able to derive the session key or complete the key exchange.

This vulnerability affects the following products:

  • hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4
  • hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7

6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-9498)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. A remote attacker can use invalid scalar/element values to complete authentication.

This vulnerability affects the following products:

  • hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4
  • hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7

7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-9499)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. A remote attacker can complete authentication, session key and control of the data connection with a client.

This vulnerability affects the following products:

  • hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4
  • hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7

Remediation

Install update from vendor's website.

References