On Fri, Feb 16, 2024 at 05:12:54AM +0000, Turritopsis Dohrnii Teo En Ming wrote: > I hope this message finds you well. I am writing to bring your attention to recent security vulnerabilities identified in wpa_supplicant, as reported on 15 Feb 2024 in a reputable news article. > > Article: "New Wi-Fi Authentication Bypass Flaws Expose Home, Enterprise Networks" > Link: https://www.securityweek.com/new-wi-fi-authentication-bypass-flaws-expose-home-enterprise-networks/ That article identifies an issue in which incomplete EAP configuration is used for WPA/WPA2/WPA3-Enterprise access. When using TLS-based EAP methods, the server certificate needs to be validated and that requires either the specific server certificate to be identified or a trust root to be configured. This can be done with the ca_cert parameter as documented in wpa_supplicant/wpa_supplicant.conf. This is not a "critical security vulnerability in wpa_supplicant". This is an issue in use of insecure configuration and how that is still prevalent in many devices since most UIs make it so easy for this important part of the configuration to be skipped. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
