UBUNTU-CVE-2019-9498

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2019-9498

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9498.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-9498

Related

Published

2019-04-10T15:00:00Z

Modified

2019-04-10T15:00:00Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpasupplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpasupplicant with EAP-pwd support prior to and including version 2.7 are affected.

References

Affected packages

Ubuntu:14.04:LTS / wpa

Package

Name: wpa
Purl: pkg:deb/ubuntu/wpa?arch=src?distro=trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1-0ubuntu1.7

Affected versions

1.*

1.0-3ubuntu2

1.0-3ubuntu3

1.0-3ubuntu4

2.*

2.1-0ubuntu1

2.1-0ubuntu1.1

2.1-0ubuntu1.2

2.1-0ubuntu1.3

2.1-0ubuntu1.4

2.1-0ubuntu1.5

2.1-0ubuntu1.6

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1:2.1-0ubuntu1.7",
            "binary_name": "hostapd"
        },
        {
            "binary_version": "1:2.1-0ubuntu1.7",
            "binary_name": "hostapd-dbgsym"
        },
        {
            "binary_version": "2.1-0ubuntu1.7",
            "binary_name": "wpagui"
        },
        {
            "binary_version": "2.1-0ubuntu1.7",
            "binary_name": "wpagui-dbgsym"
        },
        {
            "binary_version": "2.1-0ubuntu1.7",
            "binary_name": "wpasupplicant"
        },
        {
            "binary_version": "2.1-0ubuntu1.7",
            "binary_name": "wpasupplicant-dbgsym"
        },
        {
            "binary_version": "2.1-0ubuntu1.7",
            "binary_name": "wpasupplicant-udeb"
        },
        {
            "binary_version": "2.1-0ubuntu1.7",
            "binary_name": "wpasupplicant-udeb-dbgsym"
        }
    ]
}

Ubuntu:16.04:LTS / wpa

Package

Name: wpa
Purl: pkg:deb/ubuntu/wpa?arch=src?distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4-0ubuntu6.4

Affected versions

2.*

2.4-0ubuntu3

2.4-0ubuntu4

2.4-0ubuntu5

2.4-0ubuntu6

2.4-0ubuntu6.2

2.4-0ubuntu6.3

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1:2.4-0ubuntu6.4",
            "binary_name": "hostapd"
        },
        {
            "binary_version": "1:2.4-0ubuntu6.4",
            "binary_name": "hostapd-dbgsym"
        },
        {
            "binary_version": "2.4-0ubuntu6.4",
            "binary_name": "wpagui"
        },
        {
            "binary_version": "2.4-0ubuntu6.4",
            "binary_name": "wpagui-dbgsym"
        },
        {
            "binary_version": "2.4-0ubuntu6.4",
            "binary_name": "wpasupplicant"
        },
        {
            "binary_version": "2.4-0ubuntu6.4",
            "binary_name": "wpasupplicant-dbgsym"
        },
        {
            "binary_version": "2.4-0ubuntu6.4",
            "binary_name": "wpasupplicant-udeb"
        },
        {
            "binary_version": "2.4-0ubuntu6.4",
            "binary_name": "wpasupplicant-udeb-dbgsym"
        }
    ]
}

Ubuntu:18.04:LTS / wpa

Package

Name: wpa
Purl: pkg:deb/ubuntu/wpa?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2:2.6-15ubuntu2.2

Affected versions

2.*

2.4-0ubuntu10

2:2.*

2:2.4-1.1ubuntu1

2:2.6-15ubuntu1

2:2.6-15ubuntu2

2:2.6-15ubuntu2.1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2:2.6-15ubuntu2.2",
            "binary_name": "hostapd"
        },
        {
            "binary_version": "2:2.6-15ubuntu2.2",
            "binary_name": "hostapd-dbgsym"
        },
        {
            "binary_version": "2:2.6-15ubuntu2.2",
            "binary_name": "wpagui"
        },
        {
            "binary_version": "2:2.6-15ubuntu2.2",
            "binary_name": "wpagui-dbgsym"
        },
        {
            "binary_version": "2:2.6-15ubuntu2.2",
            "binary_name": "wpasupplicant"
        },
        {
            "binary_version": "2:2.6-15ubuntu2.2",
            "binary_name": "wpasupplicant-dbgsym"
        },
        {
            "binary_version": "2:2.6-15ubuntu2.2",
            "binary_name": "wpasupplicant-udeb"
        }
    ]
}