CVE-2023-52160
Published: February 16, 2024Last modified: February 16, 2024
Description
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | NONE |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
Notes
There is no consensus if there is an issue with wpa_supplicant, or it's just an insecure setup.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | wpa_supplicant | Unknown (2.10-r4) |
| Stream | wpa_supplicant | Unknown (2.10-r4) |
References
- http://lists.infradead.org/pipermail/hostap/2024-February/042362.html
- https://lists.debian.org/debian-lts-announce/2024/02/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N46C4DTVUWK336OYDA4LGALSC5VVPTCC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QU6IR4KV3ZXJZLK2BY7HAHGZNCP7FPNI/
- https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baff
- https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c
- https://www.top10vpn.com/research/wifi-vulnerabilities/