The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
AND |
|
History
21 Nov 2024, 08:39
Type | Values Removed | Values Added |
---|---|---|
References | () https://lists.debian.org/debian-lts-announce/2024/02/msg00013.html - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N46C4DTVUWK336OYDA4LGALSC5VVPTCC/ - Mailing List | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QU6IR4KV3ZXJZLK2BY7HAHGZNCP7FPNI/ - Third Party Advisory | |
References | () https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c - Patch | |
References | () https://www.top10vpn.com/research/wifi-vulnerabilities/ - Third Party Advisory |
23 Oct 2024, 19:34
Type | Values Removed | Values Added |
---|---|---|
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QU6IR4KV3ZXJZLK2BY7HAHGZNCP7FPNI/ - Third Party Advisory | |
CPE | cpe:2.3:o:google:android:*:*:*:*:*:*:*:* cpe:2.3:o:google:chrome_os:*:*:*:*:*:*:*:* |
cpe:2.3:o:google:chrome_os:-:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* cpe:2.3:o:google:android:-:*:*:*:*:*:*:* |
10 Mar 2024, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
04 Mar 2024, 22:47
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:w1.fi:wpa_supplicant:*:*:*:*:*:*:*:* cpe:2.3:o:google:chrome_os:*:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* cpe:2.3:o:google:android:*:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
First Time |
Redhat
Linux linux Kernel Fedoraproject fedora W1.fi wpa Supplicant Redhat enterprise Linux Google chrome Os W1.fi Debian debian Linux Linux Fedoraproject Google android Debian |
|
CWE | CWE-287 | |
References | () https://lists.debian.org/debian-lts-announce/2024/02/msg00013.html - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N46C4DTVUWK336OYDA4LGALSC5VVPTCC/ - Mailing List | |
References | () https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c - Patch | |
References | () https://www.top10vpn.com/research/wifi-vulnerabilities/ - Third Party Advisory |
27 Feb 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
27 Feb 2024, 02:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Feb 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-22 17:15
Updated : 2024-11-21 08:39
NVD link : CVE-2023-52160
Mitre link : CVE-2023-52160
CVE.ORG link : CVE-2023-52160
JSON object : View
Products Affected
debian
- debian_linux
- android
- chrome_os
w1.fi
- wpa_supplicant
linux
- linux_kernel
redhat
- enterprise_linux
fedoraproject
- fedora
CWE
CWE-287
Improper Authentication