Re: CVE-2023-52160: hostap/wpa_supplicant CVE fix new release?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Jouni Malinen,

Thanks for your answer.

It is possible to create a new build like I have already requested previously?
The latest is now very old, more 2 years already since hostap_2_10 (2022-01-16).
It is better to create more and more releases like other projects, weekly, fortnightly, monthly, bimonthly, quarterly.

Thanks in advance.

Regards,

Neustradamus

________________________________________
From: Hostap <hostap-bounces@xxxxxxxxxxxxxxxxxxx> on behalf of Jouni Malinen <j@xxxxx>
Sent: Thursday, February 15, 2024 20:20
To: * Neustradamus *
Cc: hostap@xxxxxxxxxxxxxxxxxxx
Subject: Re: CVE-2023-52160: hostap/wpa_supplicant CVE fix new release?

On Thu, Feb 15, 2024 at 01:24:48PM +0000, * Neustradamus * wrote:
> I would like to know when the next build will be released with CVE-2023-52160 fix?
>
> Links:
> - https://www.top10vpn.com/research/wifi-vulnerabilities/
> - https://www.google.com/search?q=CVE-2023-52160

CVE-2023-52160 identifies an issue in use of insecure configuration,
i.e., the real issue is in whatever component is creating the network
configuration. If EAP authentication is used with PEAP (or EAP-TTLS for
that matter) without verifying the server certificate, there is no real
protection against active attacks. The appropriate way to address this
issue is in fixing the configuration.

The referenced commit in wpa_supplicant
(https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baff) is just a
workaround that makes some attacks more difficult if the Phase 2 method
provides mutual authentication. If options like EAP-GTC for
username/password is allowed to be used, it does not really help at all
to require the Phase 2 exchange to be completed. The only way to address
such an issue is by using a valid configuration (e.g., use the ca_cert
parameter to configure a trust root against which the server
certificate is verified).

IMHO, this claimed vulnerability is not a vulnerability in
wpa_supplicant. It should be understood that the description of the
affected devices includes this:
"vulnerability only affects WiFi clients that aren’t properly configured
to verify the certificate of the authentication server", in other words,
this is only applicable if wpa_supplicant is not configured properly.
What needs to be fixed here is the external component that generated the
configuration.

--
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap




[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux