SB2020090375 - Improper Authentication in busybox (Alpine package)

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020090375

SB2020090375 - Improper Authentication in busybox (Alpine package)

Published: September 3, 2020

Security Bulletin ID SB2020090375
Severity
High
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Improper Authentication (CVE-ID: CVE-2019-9497)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. A remote attacker can complete EAP-PWD authentication without knowing the password and gain unauthorized access to the application.

However, unless the crypto library does not implement additional checks for the EC point, the attacker will not be able to derive the session key or complete the key exchange.

This vulnerability affects the following products:

  • hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4
  • hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7

Remediation

Install update from vendor's website.

References