CVE-2023-52160

wpa_supplicant: potential authorization bypass

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.

La implementación de PEAP en wpa_supplicant hasta la versión 2.10 permite omitir la autenticación. Para un ataque exitoso, se debe configurar wpa_supplicant para no verificar el certificado TLS de la red durante la autenticación de la Fase 1, y luego se puede abusar de una vulnerabilidad eap_peap_decrypt para omitir la autenticación de la Fase 2. El vector de ataque envía un paquete de éxito EAP-TLV en lugar de iniciar la Fase 2. Esto permite a un adversario hacerse pasar por redes Wi-Fi empresariales.

A flaw was found in wpa_supplicant's implementation of PEAP. This issue may allow an attacker to skip the second phase of authentication when the target device has not been properly configured to verify the authentication server. By skipping the second phase of authentication, it’s easier for an attacker to create a rogue clone of a trusted WiFi network to trick the victim into connecting, all without knowing their password.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-12-29 CVE Reserved
2024-02-22 CVE Published
2024-03-05 EPSS Updated
2024-08-27 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-285: Improper Authorization
CWE-287: Improper Authentication

CAPEC

References (7)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/02/msg00013.html	Mailing List
https://www.top10vpn.com/research/wifi-vulnerabilities	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c	2024-03-10

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N46C4DTVUWK336OYDA4LGALSC5VVPTCC	2024-03-10
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QU6IR4KV3ZXJZLK2BY7HAHGZNCP7FPNI	2024-03-10
https://access.redhat.com/security/cve/CVE-2023-52160	2024-04-30
https://bugzilla.redhat.com/show_bug.cgi?id=2264593	2024-04-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
W1.fi Search vendor "W1.fi"	WPA Supplicant Search vendor "W1.fi" for product "WPA Supplicant"	< 2.10 Search vendor "W1.fi" for product "WPA Supplicant" and version " < 2.10"	-	Affected	in	Google Search vendor "Google"	Android Search vendor "Google" for product "Android"	*	-	Safe
W1.fi Search vendor "W1.fi"	WPA Supplicant Search vendor "W1.fi" for product "WPA Supplicant"	< 2.10 Search vendor "W1.fi" for product "WPA Supplicant" and version " < 2.10"	-	Affected	in	Google Search vendor "Google"	Chrome Os Search vendor "Google" for product "Chrome Os"	*	-	Safe
W1.fi Search vendor "W1.fi"	WPA Supplicant Search vendor "W1.fi" for product "WPA Supplicant"	< 2.10 Search vendor "W1.fi" for product "WPA Supplicant" and version " < 2.10"	-	Affected	in	Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	*	-	Safe
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				39 Search vendor "Fedoraproject" for product "Fedora" and version "39"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0"		-		Affected