CVE-2019-13377

Publication date 8 August 2019

Last updated 25 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

5.9 · Medium

Score breakdown

Description

The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information from a side-channel attack that can be used for full password recovery.

Read the notes from the security team

Status

Package Ubuntu Release Status
wpa 19.04 disco
Fixed 2:2.6-21ubuntu3.2
18.04 LTS bionic
Fixed 2:2.6-15ubuntu2.4
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Notes

leosilva

from Debian "bug was added in v2.5"

mdeslaur

SAE is not enabled in Ubuntu builds, some of the patches aren't required.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
wpa

Severity score breakdown

Parameter Value
Base score 5.9 · Medium
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-4098-1
    • wpa_supplicant and hostapd vulnerability
    • 14 August 2019

Other references