[3.9] wpa_supplicant: Unauthenticated EAPOL-Key decryption in wpa_supplicant (CVE-2018-14526) (#9219) · Issues · alpine / aports

[3.9] wpa_supplicant: Unauthenticated EAPOL-Key decryption in wpa_supplicant (CVE-2018-14526)

An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions,
the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within
range of the Access Point and client can abuse the vulnerability to recover sensitive information.

References:

https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
http://openwall.com/lists/oss-security/2018/08/08/3
https://nvd.nist.gov/vuln/detail/CVE-2018-14526

(from redmine: issue id 9219, created on 2018-08-10, closed on 2018-08-22)

Relations:
- copied_to #9218 (closed)
- parent #9218 (closed)
Changesets:
- Revision ecc28455 by Natanael Copa on 2018-08-21T13:55:16Z:

main/wpa_supplicant: security fix (CVE-2018-14526)

fixes #9219

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information