Use of a Risky Cryptographic Algorithm Affecting wpa_supplicant package, versions [,2.8)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Use of a Risky Cryptographic Algorithm vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-UNMANAGED-WPASUPPLICANT-2364107
- published14 Dec 2021
- disclosed17 Apr 2019
- creditUnknown
Introduced: 17 Apr 2019
CVE-2019-9495 (opens in a new tab)How to fix?
Upgrade wpa_supplicant to version 2.8 or higher.
Overview
Affected versions of this package are vulnerable to Use of a Risky Cryptographic Algorithm. The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.