CVE-2019-9499

Name of the Vulnerable Software and Affected Versions wpa supplicant versions prior to and including 2.4 wpa supplicant versions prior to and including 2.7 hostapd with SAE support prior to and including version 2.4 hostapd with EAP-pwd support prior to and including version 2.7

Description The issue is related to the EAP-PWD protocol component in wpa supplicant, which is used for wireless device certification. It involves incorrect validation of scalar and element values in the EAP-pwd-Commit imported elements. This can be exploited by a remote attacker to compromise data integrity and confidentiality or cause a denial of service. An attacker may complete authentication, session key, and control of the data connection with a client.

Recommendations For wpa supplicant versions prior to and including 2.4, consider disabling SAE support until a patch is available. For wpa supplicant versions prior to and including 2.7, consider disabling EAP-pwd support until a patch is available. For hostapd with SAE support prior to and including version 2.4, consider disabling SAE support until a patch is available. For hostapd with EAP-pwd support prior to and including version 2.7, consider disabling EAP-pwd support until a patch is available. As a temporary workaround, restrict access to the EAP-pwd-Commit element to minimize the risk of exploitation.