CVE-2023-52160 — MEDIUM (6.5)

Q: How severe is CVE-2023-52160?

CVE-2023-52160 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-52160?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fedoraproject Fedora, Redhat Enterprise Linux, W1.Fi Wpa Supplicant, Google Android.

Vulnerability Description

The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	10.0
Fedoraproject	Fedora	38
Redhat	Enterprise Linux	8.0
W1.Fi	Wpa Supplicant	<= 2.10
Google	Android	-
Google	Chrome Os	-
Linux	Linux Kernel	-

Related Weaknesses (CWE)

CWE-287

References

https://lists.debian.org/debian-lts-announce/2024/02/msg00013.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproThird Party Advisory
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439cPatch
https://www.top10vpn.com/research/wifi-vulnerabilities/Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/02/msg00013.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]
https://lists.fedoraproject.org/archives/list/[email protected]
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439cPatch
https://www.top10vpn.com/research/wifi-vulnerabilities/Third Party Advisory

FAQ

What is CVE-2023-52160?

CVE-2023-52160 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Ph...

How severe is CVE-2023-52160?

CVE-2023-52160 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-52160?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fedoraproject Fedora, Redhat Enterprise Linux, W1.Fi Wpa Supplicant, Google Android.