CVE-2019-13377 (retired)

Priority
Description
The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x
through 2.8 are vulnerable to side-channel attacks as a result of
observable timing differences and cache access patterns when Brainpool
curves are used. An attacker may be able to gain leaked information from a
side-channel attack that can be used for full password recovery.
Notes
 leosilva> from Debian "bug was added in v2.5"
 mdeslaur> SAE is not enabled in Ubuntu builds, some of the patches aren't
 mdeslaur> required.
Assigned-to
mdeslaur
Package
Source: wpa (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):released (2:2.6-15ubuntu2.4)
Ubuntu 19.04 (Disco Dingo):released (2:2.6-21ubuntu3.2)
Ubuntu 19.10 (Eoan):released (2:2.8-2ubuntu2)
Patches:
Upstream:https://w1.fi/security/2019-6/
More Information

Updated: 2019-09-19 16:07:21 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)