| Description: | Summary:
The remote host is missing an update for the Debian 'wpa' package(s) announced via the DSA-4538-1 advisory.
Vulnerability Insight:
Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point).
CVE-2019-13377
A timing-based side-channel attack against WPA3's Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password.
CVE-2019-16275
Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network.
For the stable distribution (buster), these problems have been fixed in version 2:2.7+git20190128+0c1e29f-6+deb10u1.
We recommend that you upgrade your wpa packages.
For the detailed security status of wpa please refer to its security tracker page at: [link moved to references]
Affected Software/OS:
'wpa' package(s) on Debian 10.
Solution:
Please install the updated package(s).
CVSS Score:
4.3
CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
