CVE-2019-9499

Priority
Description
The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built
against a crypto library missing explicit validation on imported elements,
do not validate the scalar and element values in EAP-pwd-Commit. An
attacker may complete authentication, session key and control of the data
connection with a client. Both hostapd with SAE support and wpa_supplicant
with SAE support prior to and including version 2.4 are affected. Both
hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior
to and including version 2.7 are affected.
Notes
Package
Source: wpa (LP Ubuntu Debian)
Upstream:released (2.8)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (2.1-0ubuntu1.7)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.4-0ubuntu6.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (2:2.6-15ubuntu2.2)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not-present)
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
More Information

Updated: 2020-07-28 20:07:56 UTC (commit d26b6ca9f5b3adb89bb036ce73ae7dab894935ec)