CVE-2019-13377

Priority
Description
The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x
through 2.8 are vulnerable to side-channel attacks as a result of
observable timing differences and cache access patterns when Brainpool
curves are used. An attacker may be able to gain leaked information from a
side-channel attack that can be used for full password recovery.
Assigned-to
mdeslaur
Notes
leosilvafrom Debian "bug was added in v2.5"
mdeslaurSAE is not enabled in Ubuntu builds, some of the patches aren't
required.
Package
Source: wpa (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):released (2:2.6-15ubuntu2.4)
Ubuntu 19.04 (Disco Dingo):released (2:2.6-21ubuntu3.2)
Ubuntu 19.10 (Eoan Ermine):released (2:2.8-2ubuntu2)
Patches:
Upstream:https://w1.fi/security/2019-6/
More Information

Updated: 2019-12-05 21:09:53 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)