Re: Urgent Notification: Critical Security Vulnerabilities Discovered in wpa_supplicant on 15 Feb 2024

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 16, 2024 at 05:12:54AM +0000, Turritopsis Dohrnii Teo En Ming wrote:
> I hope this message finds you well. I am writing to bring your attention to recent security vulnerabilities identified in wpa_supplicant, as reported on 15 Feb 2024 in a reputable news article.
> 
> Article: "New Wi-Fi Authentication Bypass Flaws Expose Home, Enterprise Networks"
> Link: https://www.securityweek.com/new-wi-fi-authentication-bypass-flaws-expose-home-enterprise-networks/

That article identifies an issue in which incomplete EAP configuration
is used for WPA/WPA2/WPA3-Enterprise access. When using TLS-based EAP
methods, the server certificate needs to be validated and that requires
either the specific server certificate to be identified or a trust root
to be configured. This can be done with the ca_cert parameter as
documented in wpa_supplicant/wpa_supplicant.conf.

This is not a "critical security vulnerability in wpa_supplicant". This
is an issue in use of insecure configuration and how that is still
prevalent in many devices since most UIs make it so easy for this
important part of the configuration to be skipped.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux