CVE-2023-52160: hostap/wpa_supplicant CVE fix new release?

* Neustradamus * neustradamus at hotmail.com
Fri Feb 16 03:40:02 PST 2024 

Hello Jouni Malinen,

Thanks for your answer.

It is possible to create a new build like I have already requested previously?
The latest is now very old, more 2 years already since hostap_2_10 (2022-01-16).
It is better to create more and more releases like other projects, weekly, fortnightly, monthly, bimonthly, quarterly.

Thanks in advance.

Regards,

Neustradamus

________________________________________
From: Hostap <hostap-bounces at lists.infradead.org> on behalf of Jouni Malinen <j at w1.fi>
Sent: Thursday, February 15, 2024 20:20
To: * Neustradamus *
Cc: hostap at lists.infradead.org
Subject: Re: CVE-2023-52160: hostap/wpa_supplicant CVE fix new release?

On Thu, Feb 15, 2024 at 01:24:48PM +0000, * Neustradamus * wrote:
> I would like to know when the next build will be released with CVE-2023-52160 fix?
>
> Links:
> - https://www.top10vpn.com/research/wifi-vulnerabilities/
> - https://www.google.com/search?q=CVE-2023-52160

CVE-2023-52160 identifies an issue in use of insecure configuration,
i.e., the real issue is in whatever component is creating the network
configuration. If EAP authentication is used with PEAP (or EAP-TTLS for
that matter) without verifying the server certificate, there is no real
protection against active attacks. The appropriate way to address this
issue is in fixing the configuration.

The referenced commit in wpa_supplicant
(https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baff) is just a
workaround that makes some attacks more difficult if the Phase 2 method
provides mutual authentication. If options like EAP-GTC for
username/password is allowed to be used, it does not really help at all
to require the Phase 2 exchange to be completed. The only way to address
such an issue is by using a valid configuration (e.g., use the ca_cert
parameter to configure a trust root against which the server
certificate is verified).

IMHO, this claimed vulnerability is not a vulnerability in
wpa_supplicant. It should be understood that the description of the
affected devices includes this:
"vulnerability only affects WiFi clients that aren’t properly configured
to verify the certificate of the authentication server", in other words,
this is only applicable if wpa_supplicant is not configured properly.
What needs to be fixed here is the external component that generated the
configuration.

--
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap at lists.infradead.org
http://lists.infradead.org/mailman/listinfo/hostap

More information about the Hostap mailing list