| IR Number | FG-IR-19-107 |
| Date | Jan 3, 2020 |
| Severity |
Medium |
| CVSSv3 Score | 5.3 |
| Impact | Side-channel attack, Denial of service |
| CVE ID | CVE-2019-9494 |
| Affected Products |
FortiOS
:
6.2.2, 6.2.1, 6.2.0
Meru AP
:
8.5.0
FortiAP-S
:
6.2.1, 6.2.0
FortiAP-W2
:
6.2.1, 6.2.0
Meru Controller
:
8.5.0
|
| CVRF | Download |
Refine Search
PSIRT Advisories
Dragonblood vulnerabilities in WiFi WPA3 standard implementation
Summary
Multiple vulnerabilities, referred to as Dragonblood, exist in WiFi WPA3 standard implementation .
Dragonblood vulnerabilities impacting WiFi WPA3 standard implementations can cause password leak, denial of service or authorization bypass. They consist it:
CVE-2019-9494: SAE cache attack against ECC groups (SAE side-channel attacks)
CVE-2019-9495: EAP-PWD cache attack against ECC groups (EAP-PWD side-channel attack)
CVE-2019-9496: SAE confirm missing state validation
CVE-2019-9497: EAP-PWD reflection attack (EAP-PWD missing commit validation)
CVE-2019-9498: EAP-PWD server missing commit validation for scalar/element
CVE-2019-9499: EAP-PWD peer missing commit validation for scalar/element
Affected Products
FortiOS and FortiAP-S/W2 are only impacted by:
CVE-2019-9494
CVE-2019-9495
CVE-2019-9496
Meru AP and Meru Controller are only impacted by:
CVE-2019-9496
Solutions
FortiOS:
CVE-2019-9494 upgrade to FortiOS 6.2.2
CVE-2019-9495 upgrade to FortiOS 6.2.2
CVE-2019-9496 upgrade to FortiOS 6.2.3
FortiAP-S/W2:
CVE-2019-9494 upgrade to FortiAP-S/W2 6.2.1
CVE-2019-9495 upgrade to FortiAP-S/W2 6.2.1
CVE-2019-9496 upgrade to FortiAP-S/W2 6.2.2
Meru AP:
CVE-2019-9496 upgrade to Meru AP 8.5.1
Meru Controller:
CVE-2019-9496 upgrade to Meru Controller 8.5.1