azorius.net

Two Wi-Fi flaws expose Android, Linux devices to attacks (thehackernews.com)
from Squire1039@lemm.ee to technology@lemmy.world on 23 Feb 2024 11:22
https://lemm.ee/post/24607180

Vulnerabilities:

CVE-2023-52160 (wpa_supplicant) and CVE-2023-52161 (Intel’s iNet Wireless Daemon) allow attackers to:

Trick users into joining fake Wi-Fi networks: Attackers can create malicious clones of legitimate networks and steal user data.
Gain unauthorized access to secure Wi-Fi networks: Attackers can join password-protected networks without needing the password, putting devices and data at risk.

Affected devices:

CVE-2023-52160: Android devices using wpa_supplicant versions 2.10 and prior (requires specific configuration).
CVE-2023-52161: Linux devices using iNet Wireless Daemon versions 2.12 and lower (any network using a Linux access point).

Mitigation:

Update your Linux distribution and ChromeOS (version 118 or later).
Android fix not yet available, but manually configure CA certificate for any saved enterprise networks as a temporary workaround.

Exploitation:

Attacker needs SSID and physical proximity for CVE-2023-52160.
CVE-2023-52161 requires no special knowledge, affecting any vulnerable network.

Links:

#technology

threaded - newest

Link@rentadrunk.org on 23 Feb 2024 13:10 next collapse

Do routers and access points need patching too?

Squire1039@lemm.ee on 23 Feb 2024 13:28 next collapse

Yeah, check out this link: www.top10vpn.com/research/wifi-vulnerabilities/ , it says any Linux device running Intel’s iNet Wireless Daemon in an AP mode.

Link@rentadrunk.org on 23 Feb 2024 13:31 collapse

Hmm how would one know if their specific AP is affected? Lots of manufacturers won’t release updates.

TunaLobster@lemmy.world on 23 Feb 2024 14:27 next collapse

If these CVEs didn’t expose a router that doesn’t get updates, many others already have. OpenWRT might be more secure than OEM firmware.

Link@rentadrunk.org on 23 Feb 2024 15:53 collapse

Unfortunately my AP doesn’t support OpenWRT.

khannie@lemmy.world on 23 Feb 2024 14:29 collapse

TL;DR: If you’re using a linux based AP, check if you’re using iwd. If you are, you need to update immediately. Alternatively, if you’re using an OpenWRT based router you’re good.

It’s not clear to me yet if this is specific to intel wireless devices (edit: the IWD wiki page says that it aims to be “a comprehensive Wi-Fi connectivity solution for Linux based devices” so it looks like it would cover any system using IWD, not just Intel AP’s).

The article says “everyone using IWD as an access point” and “affects home WiFi networks”.

So I went to the good ol’ Arch wiki and it gives some details on iwd:

wiki.archlinux.org/title/Iwd

Long story short it looks like at a minimum you would need the iwd package installed on a linux based access point (think open source based routers and probably many ISP ones) and an easy way to test for that appears to be if the apps iwctl, iwd and / or iwmon are anywhere on the system (and / or if iwd is running).

If you run

ps -ef | grep iwd

on a normal linux box or

ps w | grep iwd

on openwrt based routers it should give you a clear indication.

The linux based router I’m using here has iw and iwlist but they’re for a separate package and no iwd daemon running.

I am still digging on this and will be until I’m happy.

update: iwd 2.13 is vulnerable and was released 2024/01/12 so unless you’re bang up to date, if you’re using iwd you’re exposed.

update: even newer versions of OpenWRT don’t appear to use IWD.

JustUseMint@lemmy.world on 23 Feb 2024 15:47 collapse

Thanks a bunch

khannie@lemmy.world on 23 Feb 2024 17:58 collapse

No worries. :) It was a bit rambling there for a while but I finally got to the bottom of it all.

The article and / or CVE could have done a much better job of making it clear who wasn’t affected or at least how to check if you are.

Dran_Arcana@lemmy.world on 23 Feb 2024 14:46 collapse

UAP-AC-Lite-LR-BZ.6.6.55# which wpa_supplicant 
/usr/sbin/wpa_supplicant

UAP-AC-Lite-LR-BZ.6.6.55# /usr/sbin/wpa_supplicant -v
wpa_supplicant v2.10-devel
Copyright (c) 2003-2019, Jouni Malinen  and contributors`

Seems unifi devices are affected, no patch yet as far as I can tell.

Buelldozer@lemmy.today on 23 Feb 2024 15:02 collapse

The patch is likely going to have to come from Intel since they’re the creators of IWD. I see that UniFi is running an older v2.10 module but it really doesn’t matter as the CVE states that even 2.14 (which I think is the latest?) is vulnerable as well.

Dran_Arcana@lemmy.world on 23 Feb 2024 15:25 collapse

it’s running wpa_supplicant, not iwd. It’s vulnerable to the similar exploit in CVE-2023-52160 but the patch will likely have to come from unifi, as wpa_supplicant hasn’t been updated in years as far as I know.

Buelldozer@lemmy.today on 23 Feb 2024 18:53 collapse

Help me clear my confusion on this.

According to Mitre CVE-2023-52160 only applies to “Enterprise” Networks, that is WiFi Networks using WPA2 / WPA3 with Radius. This CVE is the one that relies on wpa_supplicant.

Meanwhile CVE-2023-52161 works on “regular” networks, ones using WPA2 / WPA3 with PSK, and relies on a vulnerability in IWD.

So unless I’m missing something (which is very possible) 5160 doesn’t apply to most people and SMBs because they are not using Radius. So unless YOU are using Radius on your UniFi gear this vulnerability doesn’t apply.

The one that WOULD apply to most people is 5161 but your UniFi screenshot is showing wpa_supplicant and not IWD so according to mitre this one doesn’t apply to you either.

What am I missing here?

Dran_Arcana@lemmy.world on 23 Feb 2024 21:01 collapse

I just verified personally that it was present on unifi devices, since their docs weren’t clear. We are a mostly cisco/aruba shop where I work, but a lot of my colleagues at smaller businesses/universities use radius with unifi access points. I imagine they are vulnerable to this.

You are correct though in assessing that homelab users and very small enterprise users are probably safe.

heavy@sh.itjust.works on 23 Feb 2024 14:00 next collapse

Business Email Compromise (BEC)? (╯°□°）╯︵ ┻━┻

Squire1039@lemm.ee on 23 Feb 2024 20:42 collapse

The CVE-2023-52160, which applies to Android/linux/ChromeOS devices connecting to WPA2/WPA3 Enterprise, allows an attacker to fool the user to connect to a malicious SSID and intercept the traffic. So unencrypted traffic can be compromised. So, their listing of sensitive data, BEC, and password theft sound scary but probably affects very few services that don’t encrypt the data.

heavy@sh.itjust.works on 23 Feb 2024 23:12 collapse

Please don’t compromise my business emails, just my personal ones.

Squire1039@lemm.ee on 24 Feb 2024 01:18 collapse

Considered it done. ;-)

ooosssay@ani.social on 24 Feb 2024 02:34 next collapse

That’s crazy

Ilgaz@lemm.ee on 24 Feb 2024 12:58 collapse

Once more we will ignore the elephant in the room which is owned by a advertising giant. Android. Their OEM agreement was designed so bad that it makes you wonder if it does serve a purpose? I can theoretically easily compile the wpa_supplicant on the phone itself however I won’t be able to install/run it. Manufacturer even gave up the brand name itself. Billions of walking zombie devices as the result.