CVE-2019-9495

The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

Published : 2019-04-17 14:29 Updated : 2019-05-15 22:29

4.3
CVSS Score More info
Score 4.3 / 10
4.3
Vendor Product Version URI
W1.fi Hostapd 2.7 cpe:/a:w1.fi:hostapd:2.7
W1.fi Wpa Supplicant 2.7 cpe:/a:w1.fi:wpa_supplicant:2.7
Fedoraproject Fedora 28 cpe:/o:fedoraproject:fedora:28
Fedoraproject Fedora 29 cpe:/o:fedoraproject:fedora:29
Fedoraproject Fedora 30 cpe:/o:fedoraproject:fedora:30
  1. Fedoraproject (1) Search CVE
    1. Fedora (3) Search CVE
      1. 28
      2. 29
      3. 30
  2. W1.fi (2) Search CVE
    1. Hostapd (1) Search CVE
      1. 2.7
    2. Wpa Supplicant (1) Search CVE
      1. 2.7

CWE

ID Name Description Links
CWE-327 Use of a Broken or Risky Cryptographic Algorithm The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. CVE

History of changes

Date Event
2019-05-15 22:29
2019-05-15 17:29
2019-05-15 12:29
2019-05-15 02:29
2019-05-10 20:00
2019-04-28 00:29
2019-04-23 22:29
2019-04-19 13:08
2019-04-17 14:29

New CVE