hostapd EAP-pwd Implementation Missing Commit Validation Network Impact Vulnerability [CVE-2019-9498]

CVE Number – CVE-2019-9498

A vulnerability in the EAP-pwd implementation of hostapd (EAP server) could allow an unauthenticated, adjacent attacker to gain access to a targeted network.

The vulnerability is due to insufficient validation of the received scalar and element values in EAP-pwd-Commit messages by the EAP-pwd implementation of the affected software. An attacker could exploit this vulnerability by submitting a commit message that is designed to manipulate the exchange, which the attacker could use to derive a session key value from a very small set of possible values. A successful exploit could allow the attacker to complete authentication and gain access to the targeted network.

The vendor has confirmed the vulnerability and released software updates.

Analysis

• To exploit this vulnerability, an attacker must be on the same shared physical (for example, Bluetooth, IEEE 802.11) or logical (for example, local IP subnet) network as the targeted system. This access requirement may reduce the likelihood of a successful exploit.

Safeguards

• Administrators are advised to apply the appropriate updates.
  
  Administrators are advised to allow only trusted users to have network access.
  
  Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
  
  Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
  
  Administrators can help protect affected systems from external attacks by using a solid firewall strategy.
  
  Administrators are advised to monitor affected systems.

Vendor Announcements

• The vendor has released a security advisory at the following link: EAP-pwd missing commit validation

Fixed Software

• The vendor has released patches at the following link: 2019-4