CVE-2019-13377 — MEDIUM (5.9)

Q: How severe is CVE-2019-13377?

CVE-2019-13377 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-13377?

Check the references section above for vendor advisories and patch information. Affected products include: W1.Fi Hostapd, Fedoraproject Fedora, Canonical Ubuntu Linux, Debian Debian Linux.

Vulnerability Description

The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information from a side-channel attack that can be used for full password recovery.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
W1.Fi	Hostapd	>= 2.0, <= 2.8
Fedoraproject	Fedora	30
Canonical	Ubuntu Linux	18.04
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-203

References

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2019/Sep/56Mailing ListThird Party Advisory
https://usn.ubuntu.com/4098-1/Third Party Advisory
https://w1.fi/cgit/hostap/commit/?id=147bf7b88a9c231322b5b574263071ca6dbb0503Mailing ListPatchVendor Advisory
https://w1.fi/cgit/hostap/commit/?id=cd803299ca485eb857e37c88f973fccfbb8600e5Mailing ListPatchVendor Advisory
https://www.debian.org/security/2019/dsa-4538Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2019/Sep/56Mailing ListThird Party Advisory
https://usn.ubuntu.com/4098-1/Third Party Advisory
https://w1.fi/cgit/hostap/commit/?id=147bf7b88a9c231322b5b574263071ca6dbb0503Mailing ListPatchVendor Advisory
https://w1.fi/cgit/hostap/commit/?id=cd803299ca485eb857e37c88f973fccfbb8600e5Mailing ListPatchVendor Advisory
https://www.debian.org/security/2019/dsa-4538Third Party Advisory

FAQ

What is CVE-2019-13377?

CVE-2019-13377 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when ...

How severe is CVE-2019-13377?

CVE-2019-13377 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-13377?

Check the references section above for vendor advisories and patch information. Affected products include: W1.Fi Hostapd, Fedoraproject Fedora, Canonical Ubuntu Linux, Debian Debian Linux.