CVE-2019-13377

Published: 08 August 2019

The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information from a side-channel attack that can be used for full password recovery.

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
wpa
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (2:2.6-15ubuntu2.4)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

Patches:
Upstream: https://w1.fi/security/2019-6/