Urgent Notification: Critical Security Vulnerabilities Discovered in wpa_supplicant on 15 Feb 2024

Jouni Malinen j at w1.fi
Fri Feb 16 02:37:02 PST 2024

On Fri, Feb 16, 2024 at 05:12:54AM +0000, Turritopsis Dohrnii Teo En Ming wrote:
> I hope this message finds you well. I am writing to bring your attention to recent security vulnerabilities identified in wpa_supplicant, as reported on 15 Feb 2024 in a reputable news article.
> Article: "New Wi-Fi Authentication Bypass Flaws Expose Home, Enterprise Networks"
> Link: https://www.securityweek.com/new-wi-fi-authentication-bypass-flaws-expose-home-enterprise-networks/

That article identifies an issue in which incomplete EAP configuration
is used for WPA/WPA2/WPA3-Enterprise access. When using TLS-based EAP
methods, the server certificate needs to be validated and that requires
either the specific server certificate to be identified or a trust root
to be configured. This can be done with the ca_cert parameter as
documented in wpa_supplicant/wpa_supplicant.conf.

This is not a "critical security vulnerability in wpa_supplicant". This
is an issue in use of insecure configuration and how that is still
prevalent in many devices since most UIs make it so easy for this
important part of the configuration to be skipped.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list