Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1258 wpa security update 12 April 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: wpa Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Access Privileged Data -- Existing Account Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-9499 CVE-2019-9498 CVE-2019-9497 CVE-2019-9495 CVE-2019-9494 Reference: ESB-2019.1237 Original Bulletin: http://www.debian.org/security/2019/dsa-4430 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4430-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez April 10, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : wpa CVE ID : CVE-2019-9495 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499 Debian Bug : 926801 Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven) found multiple vulnerabilities in the WPA implementation found in wpa_supplication (station) and hostapd (access point). These vulnerability are also collectively known as "Dragonblood". CVE-2019-9495 Cache-based side-channel attack against the EAP-pwd implementation: an attacker able to run unprivileged code on the target machine (including for example javascript code in a browser on a smartphone) during the handshake could deduce enough information to discover the password in a dictionary attack. CVE-2019-9497 Reflection attack against EAP-pwd server implementation: a lack of validation of received scalar and elements value in the EAP-pwd-Commit messages could result in attacks that would be able to complete EAP-pwd authentication exchange without the attacker having to know the password. This does not result in the attacker being able to derive the session key, complete the following key exchange and access the network. CVE-2019-9498 EAP-pwd server missing commit validation for scalar/element: hostapd doesn't validate values received in the EAP-pwd-Commit message, so an attacker could use a specially crafted commit message to manipulate the exchange in order for hostapd to derive a session key from a limited set of possible values. This could result in an attacker being able to complete authentication and gain access to the network. CVE-2019-9499 EAP-pwd peer missing commit validation for scalar/element: wpa_supplicant doesn't validate values received in the EAP-pwd-Commit message, so an attacker could use a specially crafted commit message to manipulate the exchange in order for wpa_supplicant to derive a session key from a limited set of possible values. This could result in an attacker being able to complete authentication and operate as a rogue AP. Note that the Dragonblood moniker also applies to CVE-2019-9494 and CVE-2014-9496 which are vulnerabilities in the SAE protocol in WPA3. SAE is not enabled in Debian stretch builds of wpa, which is thus not vulnerable by default. Due to the complexity of the backporting process, the fix for these vulnerabilities are partial. Users are advised to use strong passwords to prevent dictionary attacks or use a 2.7-based version from stretch-backports (version above 2:2.7+git20190128+0c1e29f-4). For the stable distribution (stretch), these problems have been fixed in version 2:2.4-1+deb9u3. We recommend that you upgrade your wpa packages. For the detailed security status of wpa please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wpa Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlyu2lQACgkQ3rYcyPpX RFtamggAlq8telLPhKzD1+Ns+Pci+Y+WkOAmUpn4XQ0TOmG18sDU1iS2xNHF+buA lXVKLp7zgE4VFJsclHAJXtp8anyo7YU99NzUcSF6vboRm3msifL4eE3S7IS9fAaH 0WWCHwlHMf9IGHqBn9mkwiYySwlId8ps3lvoVV2EOB4wJqa4Y6d4YrqPyFzWop56 jKTlTcJqvQBUFo/y9In/sx8QgONhNwnNAKcrBfiVwn8QHuMRA4c4UJz+NN38ctyt djA/zqT/uXwWhr8Mfl7J+rfdsC5TFPl45qr/gbmB7GRlU2la0dGJv/l0afbINrrG NoAgpOeMrwijIdDJ9vG6O3YVV6bIkg== =OkO5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXK/fXGaOgq3Tt24GAQj4nRAAuvHYr5xvZyFDJNvy6A92qNm+AIT8CL0H OgOlUMyhi3OlnlVHfr2/4f+6x2+d+56nFUW305/8OpNYYprCNF310iYXbjVvDUy3 iovBjVGNLm2WcK+smZT8wqIcl0G9SC+2PFJ4rzWE06lF63r06ybMcNfNMqscjJJB dA6gxNzM9gDfX78Ozg3SkU31sTr2TFZdWcb+8oecNxxRozbJAwpFVpcxO6m62SZJ 1H9YXBq1rp4Ink6yBon2Qan/Iy/eraRMkXkPeL6eo5aYHj02Ygzpk+o3sqn4MIjB CTzjZ7RRgSabyM19lRFwO8CUGp/jZjc/UHXTh4KotGvUnF49g41DI0UF8R7/S6xc qR9R/xi4hv1V140fqY+vAe+at5oozpd6ranbODAIuux5Et9SJOrperqWl3sW1t2g 4GqOM2s9uQJAo+4xtVWfv3n6jTRStRZKt/+xtA2Zgyg7sh3RmCtGweU9fZlqbqoi D9SkaZkdgaSNNiTpIjJoDDhEI8dq87Wz6EIVSwhtMm7926dOog+CvlEzTl78F4s1 zqG1bopAj+DdbUPiOORtFDrSbF6Ep1kevEAWW9EdFlffWqFHFslbYxcyQO0zE3HV 3G9bU+0Y4a26qIeJeyPhFXyICpogKWU3ym4ENgvsHEDayqjb+sIdBKW+6kcWp7/Q vf+jMBiKo6s= =Vx8Y -----END PGP SIGNATURE-----