Government of the Republic of Trinidad and Tobago                                                                                                                                        


News

TTCSIRT-259.010620: TT-CSIRT ADVISORY- DRAGONBLOOD VULNERABILITIES

6th January 2020

Multiple vulnerabilities, referred to as Dragonblood, exist in WiFi WPA3 standard implementation .

Dragonblood vulnerabilities impacting WiFi WPA3 standard implementations can cause password leak, denial of service or authorization bypass. They consist it:

CVE-2019-9494: SAE cache attack against ECC groups (SAE side-channel attacks)

CVE-2019-9495: EAP-PWD cache attack against ECC groups (EAP-PWD side-channel attack)

CVE-2019-9496: SAE confirm missing state validation

CVE-2019-9497: EAP-PWD reflection attack (EAP-PWD missing commit validation)

CVE-2019-9498: EAP-PWD server missing commit validation for scalar/element

CVE-2019-9499: EAP-PWD peer missing commit validation for scalar/element

 

Impact: Side-channel attack, Denial of service

 

Affected Products: FortiOS and FortiAP-S/W2 are only impacted by:

CVE-2019-9494

CVE-2019-9495

CVE-2019-9496

Meru AP and Meru Controller are only impacted by:

CVE-2019-9496

 

Solutions: 

FortiOS:

CVE-2019-9494 upgrade to FortiOS 6.2.2

CVE-2019-9495 upgrade to FortiOS 6.2.2

CVE-2019-9496 upgrade to FortiOS 6.2.3

 

FortiAP-S/W2:

CVE-2019-9494 upgrade to FortiAP-S/W2 6.2.1

CVE-2019-9495 upgrade to FortiAP-S/W2 6.2.1

CVE-2019-9496 upgrade to FortiAP-S/W2 6.2.2

 

Meru AP:

CVE-2019-9496 upgrade to Meru AP 8.5.1

 

Meru Controller:

CVE-2019-9496 upgrade to Meru Controller 8.5.1

 

The Trinidad and Tobago Cyber Security Incident Response Team (TTCSIRT) encourages users and administrators to review and apply the necessary updates for the following:

FortiOS:

CVE-2019-9494 ,CVE-2019-9495 and CVE-2019-9496

FortiAP-S/W2:

CVE-2019-9494 upgrade to FortiAP-S/W2 6.2.1

CVE-2019-9495 upgrade to FortiAP-S/W2 6.2.1

CVE-2019-9496 upgrade to FortiAP-S/W2 6.2.2

Meru AP:

CVE-2019-9496 upgrade to Meru AP 8.5.1

Meru Controller:

CVE-2019-9496 upgrade to Meru Controller 8.5.1

 

For further review please see the following link:

References