On Thu, Feb 15, 2024 at 01:24:48PM +0000, * Neustradamus * wrote: > I would like to know when the next build will be released with CVE-2023-52160 fix? > > Links: > - https://www.top10vpn.com/research/wifi-vulnerabilities/ > - https://www.google.com/search?q=CVE-2023-52160 CVE-2023-52160 identifies an issue in use of insecure configuration, i.e., the real issue is in whatever component is creating the network configuration. If EAP authentication is used with PEAP (or EAP-TTLS for that matter) without verifying the server certificate, there is no real protection against active attacks. The appropriate way to address this issue is in fixing the configuration. The referenced commit in wpa_supplicant (https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baff) is just a workaround that makes some attacks more difficult if the Phase 2 method provides mutual authentication. If options like EAP-GTC for username/password is allowed to be used, it does not really help at all to require the Phase 2 exchange to be completed. The only way to address such an issue is by using a valid configuration (e.g., use the ca_cert parameter to configure a trust root against which the server certificate is verified). IMHO, this claimed vulnerability is not a vulnerability in wpa_supplicant. It should be understood that the description of the affected devices includes this: "vulnerability only affects WiFi clients that aren’t properly configured to verify the certificate of the authentication server", in other words, this is only applicable if wpa_supplicant is not configured properly. What needs to be fixed here is the external component that generated the configuration. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
