CVE-2018-14526
wpa_supplicant: Unauthenticated EAPOL-Key decryption in wpa_supplicant
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.
Se ha descubierto un problema en rsn_supp/wpa.c en wpa_supplicant, desde la versión 2.0 hasta la 2.6. En determinadas condiciones, no se comprueba la integridad de los mensajes EAPOL-Key, lo que conduce a un oráculo de descripción. Un atacante que esté en el rango del punto de acceso y el cliente puede abusar de la vulnerabilidad para recuperar información sensible.
When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but decrypted data was subsequently processed. This opened wpa_supplicant(8) to abuse by decryption and recovery of sensitive information contained in EAPOL-Key messages. All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for example, the group key.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-07-22 CVE Reserved
- 2018-08-08 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| http://www.securitytracker.com/id/1041438 | Third Party Advisory | |
| https://cert-portal.siemens.com/productcert/pdf/ssa-344983.pdf | X_refsource_confirm |
|
| https://lists.debian.org/debian-lts-announce/2018/08/msg00009.html | Mailing List |
|
| https://papers.mathyvanhoef.com/woot2018.pdf | Technical Description | |
| https://www.us-cert.gov/ics/advisories/icsa-19-344-01 | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.FreeBSD.org/advisories/FreeBSD-SA-18:11.hostapd.asc | 2019-10-03 | |
| https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt | 2019-10-03 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00013.html | 2019-10-03 | |
| https://access.redhat.com/errata/RHSA-2018:3107 | 2019-10-03 | |
| https://usn.ubuntu.com/3745-1 | 2019-10-03 | |
| https://access.redhat.com/security/cve/CVE-2018-14526 | 2018-10-30 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1614520 | 2018-10-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| W1.fi Search vendor "W1.fi" | WPA Supplicant Search vendor "W1.fi" for product "WPA Supplicant" | >= 2.0 <= 2.6 Search vendor "W1.fi" for product "WPA Supplicant" and version " >= 2.0 <= 2.6" | - |
Affected
| ||||||