Vulnerability CVE-2019-13377

Vulnerability Name:

CVE-2019-13377 (CCN-164829)

Assigned:

2019-08-03

Published:

2019-08-03

Updated:

2022-04-18

Summary:

The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information from a side-channel attack that can be used for full password recovery.

CVSS v3 Severity:

5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.4 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-203

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2019-13377

Source: XF
Type: UNKNOWN
wifialliance-cve201913377-info-disc(164829)

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2019-97e9040197

Source: BUGTRAQ
Type: Mailing List, Third Party Advisory
20190929 [SECURITY] [DSA 4538-1] wpa security update

Source: CCN
Type: The Hacker News Web site
Researchers Discover New Ways to Hack WPA3 Protected WiFi Passwords

Source: CONFIRM
Type: Third Party Advisory
https://usn.ubuntu.com/4098-1/

Source: MISC
Type: Mailing List, Patch, Vendor Advisory
https://w1.fi/cgit/hostap/commit/?id=147bf7b88a9c231322b5b574263071ca6dbb0503

Source: MISC
Type: Mailing List, Patch, Vendor Advisory
https://w1.fi/cgit/hostap/commit/?id=cd803299ca485eb857e37c88f973fccfbb8600e5

Source: DEBIAN
Type: Third Party Advisory
DSA-4538

Source: CCN
Type: Wi-Fi Alliance Web site
WiFi WPA3

Source: CCN
Type: ZDNet Web site
New Dragonblood vulnerabilities found in WiFi WPA3 standard

Vulnerable Configuration:

Configuration 1:

cpe:/a:w1.fi:hostapd:*:*:*:*:*:*:*:* (Version >= 2.0 and <= 2.8)

Configuration 2:

cpe:/o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

Configuration 4:

cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201913377	V	CVE-2019-13377	2023-06-22
oval:org.opensuse.security:def:7829	P	wpa_supplicant-2.10-150500.1.3 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:51989	P	Security update for xen (Important)	2023-01-26
oval:org.opensuse.security:def:51958	P	Security update for grub2 (Important)	2022-11-21
oval:org.opensuse.security:def:4665	P	Security update for the Linux Kernel (Important)	2022-08-09
oval:org.opensuse.security:def:3170	P	libexif12-0.6.21-8.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3164	P	libdcerpc-binding0-32bit-4.10.5+git.129.35f7bb6e177-1.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3818	P	w3m-0.5.3.git20161120-161.3.4 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3180	P	libgraphite2-3-1.3.1-10.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3405	P	xlockmore-5.43-5.30 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3419	P	ImageMagick-config-6-SUSE-6.8.8.1-71.126.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3396	P	w3m-0.5.3.git20161120-161.3.4 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3222	P	libopenssl-devel-1.0.2p-1.13 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3423	P	aaa_base-13.2+git20140911.61c1681-38.13.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3178	P	libgnomesu-2.0.0-353.6.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3417	P	zypper-1.13.51-21.26.4 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3420	P	MozillaFirefox-68.1.0-109.92.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3830	P	xorg-x11-server-1.19.6-8.18 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95125	P	librelp-devel-1.2.15-1.15 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94852	P	wpa_supplicant-2.9-4.33.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:333	P	wpa_supplicant-2.9-4.29.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:386	P	wpa_supplicant-2.9-4.33.1 on GA media (Moderate)	2022-06-10
oval:org.opensuse.security:def:125722	P	Security update for wpa_supplicant (Important)	2022-05-26
oval:org.opensuse.security:def:126887	P	Security update for wpa_supplicant (Important)	2022-05-26
oval:org.opensuse.security:def:127284	P	Security update for wpa_supplicant (Important)	2022-05-26
oval:org.opensuse.security:def:5253	P	Security update for openldap2 (Important)	2022-05-20
oval:org.opensuse.security:def:4734	P	Security update for the Linux Kernel (Important)	2022-05-16
oval:org.opensuse.security:def:4593	P	Security update for the Linux Kernel (Live Patch 20 for SLE 12 SP5) (Important)	2022-05-09
oval:org.opensuse.security:def:5231	P	Security update for libcaca (Moderate)	2022-05-03
oval:org.opensuse.security:def:101838	P	Security update for go1.18 (Moderate)	2022-04-26
oval:org.opensuse.security:def:4588	P	Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP5) (Important)	2022-04-25
oval:org.opensuse.security:def:4584	P	Security update for the Linux Kernel (Live Patch 17 for SLE 12 SP5) (Important)	2022-04-25
oval:org.opensuse.security:def:4577	P	Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP5) (Important)	2022-04-15
oval:org.opensuse.security:def:5372	P	Security update for openssl-1_1 (Important)	2022-03-15
oval:org.opensuse.security:def:4686	P	Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP5) (Critical)	2022-02-16
oval:org.opensuse.security:def:94448	P	(Important)	2022-01-25
oval:org.opensuse.security:def:113587	P	wpa_supplicant-2.9-13.4 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:70583	P	Security update for SDL2 (Important) (in QA)	2022-01-12
oval:org.opensuse.security:def:4531	P	Security update for go1.17 (Moderate)	2021-12-23
oval:org.opensuse.security:def:68324	P	Security update for the Linux Kernel (Live Patch 12 for SLE 15 SP2) (Important)	2021-12-14
oval:org.opensuse.security:def:70326	P	Security update for the Linux Kernel (Important)	2021-12-07
oval:org.opensuse.security:def:1789	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:67335	P	Security update for poppler (Important)	2021-12-01
oval:org.opensuse.security:def:66983	P	Security update for postgresql14 (Important)	2021-11-22
oval:org.opensuse.security:def:73905	P	Security update for python (Moderate)	2021-10-20
oval:org.opensuse.security:def:106973	P	wpa_supplicant-2.9-13.4 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:96645	P	libjasper4-2.0.14-3.3.2 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:1262	P	Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP3) (Important)	2021-09-16
oval:org.opensuse.security:def:69077	P	Security update for apache2 (Important)	2021-09-03
oval:org.opensuse.security:def:67240	P	Security update for openssl-1_1 (Important)	2021-08-24
oval:org.opensuse.security:def:49449	P	Security update for nodejs12 (Important)	2021-08-24
oval:org.opensuse.security:def:46996	P	libXp6-1.0.2-3.57 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47090	P	libusbmuxd4-1.0.10-2.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47850	P	perl-DBD-mysql-4.021-12.5.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46935	P	eog-3.20.4-7.7 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47059	P	libpcsclite1-1.8.10-3.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47797	P	libtiff5-32bit-4.0.9-44.24.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47159	P	sudo-1.8.10p3-6.16 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:4726	P	Security update for the Linux Kernel (Important)	2021-08-10
oval:org.opensuse.security:def:2427	P	python2-waitress-1.4.3-3.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101161	P	gstreamer-plugins-bad-1.16.2-7.22 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62351	P	wpa_supplicant-2.9-4.29.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:71777	P	bluez-5.55-1.57 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1936	P	nasm-2.14.02-3.4.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72092	P	wpa_supplicant-2.9-4.29.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1933	P	libtdsodbc0-1.1.36-3.3.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1931	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101109	P	wpa_supplicant-2.9-4.29.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1937	P	ncurses-devel-32bit-6.1-5.6.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:70431	P	Security update for libnettle (Important)	2021-06-23
oval:org.opensuse.security:def:64532	P	Security update for xterm (Important)	2021-06-18
oval:org.opensuse.security:def:74710	P	Security update for the Linux Kernel (Important)	2021-06-15
oval:org.opensuse.security:def:73648	P	Security update for libjpeg-turbo (Moderate)	2021-06-11
oval:org.opensuse.security:def:46853	P	systemtap-2.5-4.44 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:4551	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:65640	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:4721	P	Security update for the Linux Kernel (Important)	2021-04-13
oval:org.opensuse.security:def:67075	P	Security update for jetty-minimal (Important)	2021-03-24
oval:org.opensuse.security:def:49463	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:51168	P	Security update for java-1_8_0-ibm (Important)	2021-02-26
oval:org.opensuse.security:def:64644	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:73766	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:5397	P	Security update for the Linux Kernel (Important)	2021-01-14
oval:org.opensuse.security:def:51094	P	Security update for spice-gtk (Important)	2020-12-16
oval:org.opensuse.security:def:51854	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:71664	P	mailx-12.5-1.87 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4074	P	libvorbis-devel-1.3.3-10.14.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4061	P	libtag-devel-1.9.1-1.218 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72314	P	perl-MIME-Charset-1.012.2-1.24 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72430	P	open-vm-tools-desktop-11.1.0-2.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:5543	P	Security update for wpa_supplicant (Moderate)	2020-12-02
oval:org.opensuse.security:def:4823	P	Security update for xmltooling (Moderate)	2020-12-02
oval:org.opensuse.security:def:4860	P	Security update for shibboleth-sp (Moderate)	2020-12-02
oval:org.opensuse.security:def:4800	P	Security update for xen (Important)	2020-12-02
oval:org.opensuse.security:def:5515	P	Security update for python-pip (Moderate)	2020-12-02
oval:org.opensuse.security:def:4877	P	Security update for xen (Important)	2020-12-02
oval:org.opensuse.security:def:4714	P	Security update for python-PyYAML (Important)	2020-12-02
oval:org.opensuse.security:def:2579	P	Security update for wpa_supplicant (Moderate)	2020-12-02
oval:org.opensuse.security:def:4853	P	Security update for rsyslog (Moderate)	2020-12-02
oval:org.opensuse.security:def:4866	P	Security update for salt (Critical)	2020-12-02
oval:org.opensuse.security:def:2575	P	Security update for java-11-openjdk (Moderate)	2020-12-02
oval:org.opensuse.security:def:49579	P	libtag-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:52227	P	Security update for libproxy (Important)	2020-12-01
oval:org.opensuse.security:def:75183	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:49363	P	yast2-buildtools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24954	P	Security update for gstreamer-plugins-base (Important)	2020-12-01
oval:org.opensuse.security:def:50958	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:53718	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:52095	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:52256	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:74026	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:49682	P	libnetpbm-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50995	P	Security update for spice-gtk (Moderate)	2020-12-01
oval:org.opensuse.security:def:53646	P	Security update for ntp (Moderate)	2020-12-01
oval:org.opensuse.security:def:52263	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:50686	P	Security update for lz4 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25648	P	Security update for python36 (Important)	2020-12-01
oval:org.opensuse.security:def:50821	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:52370	P	Security update for opencv (Moderate)	2020-12-01
oval:org.opensuse.security:def:50596	P	Security update for nmap (Moderate)	2020-12-01
oval:org.opensuse.security:def:70691	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:49367	P	yubikey-manager on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:65108	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:52201	P	Security update for openldap2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:65077	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:25682	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:24869	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:50925	P	Security update for unbound (Important)	2020-12-01
oval:org.opensuse.security:def:52045	P	Security update for libxml2 (Low)	2020-12-01
oval:org.opensuse.security:def:64990	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:68424	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:52151	P	Security update for google-compute-engine (Important)	2020-12-01
oval:org.opensuse.security:def:52506	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:50921	P	Security update for mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:51062	P	Security update for slirp4netns (Important)	2020-12-01
oval:org.opensuse.security:def:74584	P	Security update for openldap2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:50828	P	Security update for bcm43xx-firmware (Moderate)	2020-12-01
oval:org.opensuse.security:def:49514	P	gcab on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25010	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:52444	P	Security update for ovmf (Moderate)	2020-12-01
oval:org.opensuse.security:def:65730	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:49610	P	PackageKit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50864	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:49305	P	ppc64-diag on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24968	P	Security update for avahi (Moderate)	2020-12-01
oval:org.opensuse.security:def:49432	P	libcups2-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49221	P	libprocps7 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:52184	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:52291	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:50810	P	Security update for libjpeg-turbo (Moderate)	2020-12-01
oval:org.opensuse.security:def:53573	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:52117	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:75050	P	Security update for ldb, samba (Important)	2020-12-01
oval:org.opensuse.security:def:49534	P	libXcursor1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:68974	P	Security update for tomcat (Important)	2020-12-01
oval:org.opensuse.security:def:50756	P	Security update for java-11-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:53503	P	Security update for mozilla-nss (Moderate)	2020-12-01
oval:org.opensuse.security:def:24818	P	Security update for ppp (Important)	2020-12-01
oval:org.opensuse.security:def:50852	P	Security update for python-waitress (Moderate)	2020-12-01
oval:org.opensuse.security:def:51015	P	Security update for libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:110878	P	Security update for wpa_supplicant (Moderate)	2020-11-27
oval:org.opensuse.security:def:110334	P	Security update for wpa_supplicant (Moderate)	2020-11-26
oval:org.opensuse.security:def:104057	P	Security update for wpa_supplicant (Moderate)	2020-11-19
oval:org.opensuse.security:def:104751	P	Security update for wpa_supplicant (Moderate)	2020-11-19
oval:org.opensuse.security:def:90402	P	Security update for wpa_supplicant (Moderate)	2020-11-19
oval:org.opensuse.security:def:107827	P	Security update for wpa_supplicant (Moderate)	2020-11-19
oval:org.opensuse.security:def:97367	P	Security update for wpa_supplicant (Moderate)	2020-11-19
oval:org.opensuse.security:def:75457	P	Security update for wpa_supplicant (Moderate)	2020-11-19
oval:org.opensuse.security:def:91096	P	Security update for wpa_supplicant (Moderate)	2020-11-19
oval:org.opensuse.security:def:108504	P	Security update for wpa_supplicant (Moderate)	2020-11-19
oval:org.opensuse.security:def:117342	P	Security update for wpa_supplicant (Moderate)	2020-11-19
oval:org.opensuse.security:def:98061	P	Security update for wpa_supplicant (Moderate)	2020-11-19
oval:org.opensuse.security:def:75734	P	Security update for wpa_supplicant (Moderate)	2020-11-19
oval:com.ubuntu.disco:def:2019133770000000	V	CVE-2019-13377 on Ubuntu 19.04 (disco) - medium.	2019-08-15
oval:com.ubuntu.bionic:def:2019133770000000	V	CVE-2019-13377 on Ubuntu 18.04 LTS (bionic) - medium.	2019-08-15
oval:com.ubuntu.xenial:def:2019133770000000	V	CVE-2019-13377 on Ubuntu 16.04 LTS (xenial) - medium.	2019-08-08

BACK