#VU23963 Permissions, Privileges, and Access Controls in hostapd and wpa_supplicant - CVE-2019-9498

Cybersecurity Help s.r.o.

Published: 2020-01-06

Vulnerability identifier: #VU23963

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-9498

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
hostapd
Server applications / Remote access servers, VPN
wpa_supplicant
Server applications / Encryption software

Vendor: Jouni Malinen

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. A remote attacker can use invalid scalar/element values to complete authentication.

This vulnerability affects the following products:

hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4

hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7

Mitigation
Install updates from vendor's website.

Vulnerable software versions

hostapd: 1.0 - 2.7

wpa_supplicant: 1.0 - 2.7

External links
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/
https://seclists.org/bugtraq/2019/May/40
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc
https://w1.fi/security/2019-4/
https://www.synology.com/security/advisory/Synology_SA_19_16

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for wpa_supplicant

Permissions, Privileges, and Access Controls in busybox (Alpine package)

OpenSUSE Linux update for hostapd

Multiple vulnerabilities in WPA3 hostapd and wpa_supplicant

Permissions, Privileges, and Access Controls in hostapd (Alpine package)

Fedora EPEL 7 update for hostapd

Fedora 28 update for hostapd

Fedora 29 update for hostapd

Fedora 30 update for hostapd

Fedora 30 update for wpa_supplicant