CVE-2018-14526

Name
CVE-2018-14526
Description
An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mitigation https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
Technical Description https://papers.mathyvanhoef.com/woot2018.pdf
Third Party Advisory http://www.securitytracker.com/id/1041438
Mailing List https://lists.debian.org/debian-lts-announce/2018/08/msg00009.html
Mitigation https://security.FreeBSD.org/advisories/FreeBSD-SA-18:11.hostapd.asc
Third Party Advisory https://usn.ubuntu.com/3745-1/
REDHAT https://access.redhat.com/errata/RHSA-2018:3107
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00013.html
CONFIRM https://cert-portal.siemens.com/productcert/pdf/ssa-344983.pdf
MISC https://www.us-cert.gov/ics/advisories/icsa-19-344-01

Match rules

CPE URI Source package Min version Max version
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* ubuntu_linux == None == 16.04
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* ubuntu_linux == None == 14.04
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* ubuntu_linux == None == 18.04

Vulnerable and fixed packages

Source package Branch Version Maintainer Status