Vulnerabilities:

CVE-2023-52160 (wpa_supplicant) and CVE-2023-52161 (Intel’s iNet Wireless Daemon) allow attackers to:

  • Trick users into joining fake Wi-Fi networks: Attackers can create malicious clones of legitimate networks and steal user data.
  • Gain unauthorized access to secure Wi-Fi networks: Attackers can join password-protected networks without needing the password, putting devices and data at risk.

Affected devices:

  • CVE-2023-52160: Android devices using wpa_supplicant versions 2.10 and prior (requires specific configuration).
  • CVE-2023-52161: Linux devices using iNet Wireless Daemon versions 2.12 and lower (any network using a Linux access point).

Mitigation:

  • Update your Linux distribution and ChromeOS (version 118 or later).
  • Android fix not yet available, but manually configure CA certificate for any saved enterprise networks as a temporary workaround.

Exploitation:

  • Attacker needs SSID and physical proximity for CVE-2023-52160.
  • CVE-2023-52161 requires no special knowledge, affecting any vulnerable network.

Links:

  • Ilgaz@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    9 months ago

    Once more we will ignore the elephant in the room which is owned by a advertising giant. Android. Their OEM agreement was designed so bad that it makes you wonder if it does serve a purpose? I can theoretically easily compile the wpa_supplicant on the phone itself however I won’t be able to install/run it. Manufacturer even gave up the brand name itself. Billions of walking zombie devices as the result.