CVE-2023-52160: hostap/wpa_supplicant CVE fix new release?

Jouni Malinen j at
Thu Feb 15 11:20:02 PST 2024

On Thu, Feb 15, 2024 at 01:24:48PM +0000, * Neustradamus * wrote:
> I would like to know when the next build will be released with CVE-2023-52160 fix?
> Links:
> -
> -

CVE-2023-52160 identifies an issue in use of insecure configuration,
i.e., the real issue is in whatever component is creating the network
configuration. If EAP authentication is used with PEAP (or EAP-TTLS for
that matter) without verifying the server certificate, there is no real
protection against active attacks. The appropriate way to address this
issue is in fixing the configuration.

The referenced commit in wpa_supplicant
( is just a
workaround that makes some attacks more difficult if the Phase 2 method
provides mutual authentication. If options like EAP-GTC for
username/password is allowed to be used, it does not really help at all
to require the Phase 2 exchange to be completed. The only way to address
such an issue is by using a valid configuration (e.g., use the ca_cert
parameter to configure a trust root against which the server
certificate is verified).

IMHO, this claimed vulnerability is not a vulnerability in
wpa_supplicant. It should be understood that the description of the
affected devices includes this:
"vulnerability only affects WiFi clients that aren’t properly configured
to verify the certificate of the authentication server", in other words,
this is only applicable if wpa_supplicant is not configured properly.
What needs to be fixed here is the external component that generated the

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list