Advisory ROSA-SA-2021-1998

Software: wpa_supplicant 2.6
OS: Cobalt 7.9

CVE-ID: CVE-2017-13084
CVE-Crit: MEDIUM
CVE-DESC: Wi-Fi Protected Access (WPA and WPA2) allows the Station-to-Station-Link (STSL) temporary key (STK) to be reassigned during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
CVE-STATUS: default
CVE-REV: Default

CVE-ID: CVE-2017-13084
CVE-Crit: MEDIUM
CVE-DESC: Wi-Fi Protected Access (WPA and WPA2) allows the Station-to-Station-Link (STSL) temporary key (STK) to be reassigned during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
CVE-STATUS: default
CVE-REV: Default

CVE-ID: CVE-2019-11555
CVE-Crit: MEDIUM
CVE-DESC: The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer node) before 2.8 does not check the fragmentation reassembly state properly for the case where an unexpected fragment may be received. This could cause the process to terminate due to a NULL pointer dereference (denial of service). This affects eap_server / eap_server_pwd.c and eap_peer / eap_pwd.c.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-16275
CVE-Crit: MEDIUM
CVE-DESC: hostapd before 2.10 and wpa_supplicant before 2.10 allow incorrect disconnect indication in certain situations due to improper handling of source address verification. This is a denial of service that should have been prevented by PMF (also known as control frame protection). The attacker must send the generated 802.11 frame from a location within the 802.11 communication range.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2019-9494
CVE-Crit: MEDIUM
CVE-DESC: SAE implementations in hostapd and wpa_supplicant are vulnerable to side-channel attacks due to observed differences in timing and cache access patterns. An attacker can obtain leaked information from a side-channel attack that can be used for full password recovery. This applies to both SAE-enabled hostapd and SAE-enabled wpa_supplicant up to and including version 2.7.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-9495
CVE-Crit: LOW
CVE-DESC: EAP-PWD implementations in hostapd and wpa_supplicant are vulnerable to side-channel attacks due to cache access patterns. All EAP-PWD-enabled versions of hostapd and wpa_supplicant are vulnerable. The ability to install and run applications is necessary for a successful attack. Memory access patterns are visible in the shared cache. Weak passwords can be compromised. Versions of hostapd / wpa_supplicant 2.7 and newer are not vulnerable to the timing attack described in CVE-2019-9494. This applies to both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support up to and including version 2.7.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-9496
CVE-Crit: HIGH
CVE-DESC: Incorrect authentication sequence may cause hostapd process to terminate due to lack of state validation steps when processing SAE confirmation message in hostapd / AP mode. All SAE-enabled versions of hostapd are vulnerable. An attacker can force the hostapd process to terminate by performing a denial of service attack. This applies to both SAE-enabled hostapd and SAE-enabled wpa_supplicant up to and including version 2.7.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-9497
CVE-Crit: HIGH
CVE-DESC: EAP-PWD implementations in hostapd EAP Server and wpa_supplicant EAP Peer do not validate scalar and element values in EAP-pwd-Commit. This vulnerability could allow an attacker to authenticate EAP-PWD without knowing the password. However, unless the crypto library implements additional checks for the EC point, an attacker would not be able to obtain a session key or complete a key exchange. This applies to both SAE-enabled hostapd and SAE-enabled wpa_supplicant up to and including version 2.4. This applies to both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support up to and including version 2.7.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-9498
CVE-Crit: HIGH
CVE-DESC: EAP-PWD implementations on the hostapd EAP server, built on a cryptographic library that lacks explicit validation of imported elements, do not validate scalar and element values in EAP-pwd-Commit. An attacker can use invalid scalar / element values to complete authentication, obtain a session key, and access the network without having to remember the password. This applies to both SAE-enabled hostapd and SAE-enabled wpa_supplicant up to and including version 2.4. This applies to both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support up to and including version 2.7.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-9499
CVE-Crit: HIGH
CVE-DESC: EAP-PWD implementations of wpa_supplicant EAP Peer, when built on a cryptographic library that lacks explicit verification of imported elements, do not verify scalar and element values in EAP-pwd-Commit. An attacker can perform authentication, session key and data connection control to the client. This applies to both SAE-enabled hostapd and SAE-enabled wpa_supplicant up to and including version 2.4. This applies to both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support up to and including version 2.7.
CVE-STATUS: default
CVE-REV: default