CVE-2019-9494

Summary

The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.

Affected Software

VendorProductVersion RangeStatus
Wi-Fi Alliancehostapd with SAE support2.7 <= 2.7affected
Wi-Fi Alliancewpa_supplicant with SAE support2.7 <= 2.7affected

Weaknesses

  • CWE-208: CWE-208 Information Exposure Through Timing Discrepancy
  • CWE-524: CWE-524 Information Exposure Through Caching

ADP Enrichment

CVE Program Container

Additional References

References