CVE-2019-9498

The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.
References
Link Resource
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00030.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/
https://seclists.org/bugtraq/2019/May/40 Mailing List Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc Third Party Advisory
https://w1.fi/security/2019-4/ Patch Vendor Advisory
https://www.synology.com/security/advisory/Synology_SA_19_16 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00030.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/
https://seclists.org/bugtraq/2019/May/40 Mailing List Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc Third Party Advisory
https://w1.fi/security/2019-4/ Patch Vendor Advisory
https://www.synology.com/security/advisory/Synology_SA_19_16 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:w1.fi:hostapd:*:*:*:*:*:*:*:*
cpe:2.3:a:w1.fi:hostapd:*:*:*:*:*:*:*:*
cpe:2.3:a:w1.fi:wpa_supplicant:*:*:*:*:*:*:*:*
cpe:2.3:a:w1.fi:wpa_supplicant:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*
cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 5 (hide)

OR cpe:2.3:a:synology:radius_server:3.0:*:*:*:*:*:*:*
cpe:2.3:a:synology:router_manager:1.2:*:*:*:*:*:*:*

Configuration 6 (hide)

OR cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:11.2:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:11.2:p13:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:11.2:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:11.2:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:11.2:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:11.2:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:11.2:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:11.2:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:11.2:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:11.2:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:12.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:12.0:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:12.0:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:12.0:p3:*:*:*:*:*:*

History

21 Nov 2024, 04:51

Type Values Removed Values Added
References () http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.html - Mailing List, Third Party Advisory () http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.html - Mailing List, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2019/07/msg00030.html - Mailing List, Third Party Advisory () https://lists.debian.org/debian-lts-announce/2019/07/msg00030.html - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/ -
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/ -
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/ -
References () https://seclists.org/bugtraq/2019/May/40 - Mailing List, Third Party Advisory () https://seclists.org/bugtraq/2019/May/40 - Mailing List, Third Party Advisory
References () https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc - Third Party Advisory () https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc - Third Party Advisory
References () https://w1.fi/security/2019-4/ - Patch, Vendor Advisory () https://w1.fi/security/2019-4/ - Patch, Vendor Advisory
References () https://www.synology.com/security/advisory/Synology_SA_19_16 - Third Party Advisory () https://www.synology.com/security/advisory/Synology_SA_19_16 - Third Party Advisory

07 Nov 2023, 03:13

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/', 'name': 'FEDORA-2019-f409af9fbe', 'tags': ['Mailing List', 'Release Notes', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/', 'name': 'FEDORA-2019-eba1109acd', 'tags': ['Mailing List', 'Release Notes', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/', 'name': 'FEDORA-2019-d03bae77f5', 'tags': ['Mailing List', 'Release Notes', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/ -

Information

Published : 2019-04-17 14:29

Updated : 2024-11-21 04:51


NVD link : CVE-2019-9498

Mitre link : CVE-2019-9498

CVE.ORG link : CVE-2019-9498


JSON object : View

Products Affected

freebsd

  • freebsd

opensuse

  • leap
  • backports_sle

debian

  • debian_linux

synology

  • radius_server
  • router_manager

w1.fi

  • wpa_supplicant
  • hostapd

fedoraproject

  • fedora
CWE
CWE-346

Origin Validation Error

CWE-287

Improper Authentication