Bug 2282013 (CVE-2023-52424)

Summary: CVE-2023-52424 802.11: SSID Confusion attack
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: darunesh, dfreiber, drow, dvlasenk, jburrell, pbrobinson, security-response-team, sidakwo, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---Flags: pbrobinson: needinfo? (darunesh)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the IEEE 802.11 standard. This vulnerability possibly allows an adversary to trick a victim into connecting to an unintended or untrusted network because the SSID is not always used to derive the pairwise master key or session keys and because there is not a protected exchange of an SSID during a 4-way handshake.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2293096, 2293094, 2293095, 2293097, 2293098, 2294016    
Bug Blocks: 2282014    

Description Pedro Sampaio 2024-05-20 20:17:56 UTC 
The IEEE 802.11 standard sometimes enables an adversary to trick a victim into connecting to an unintended or untrusted network with Home WEP, Home WPA3 SAE-loop. Enterprise 802.1X/EAP, Mesh AMPE, or FILS, aka an "SSID Confusion" issue. This occurs because the SSID is not always used to derive the pairwise master key or session keys, and because there is not a protected exchange of an SSID during a 4-way handshake.

References:

https://mentor.ieee.org/802.11/dcn/24/11-24-0938-03-000m-protect-ssid-in-4-way-handshake.docx
https://www.top10vpn.com/assets/2024/05/Top10VPN-x-Vanhoef-SSID-Confusion.pdf
https://www.top10vpn.com/research/wifi-vulnerability-ssid/
https://www.wi-fi.org/news-events/press-releases
Comment 2 Anten Skrabec 2024-05-28 18:04:45 UTC 
public at following link, remove embargo: https://www.top10vpn.com/research/wifi-vulnerability-ssid/
Comment 3 Dhananjay Arunesh 2024-06-19 15:01:20 UTC 
Created NetworkManager tracking bugs for this issue:

Affects: fedora-all [bug 2293094]


Created hostapd tracking bugs for this issue:

Affects: epel-all [bug 2293096]
Affects: fedora-all [bug 2293097]


Created linux-firmware tracking bugs for this issue:

Affects: fedora-all [bug 2293098]


Created wpa_supplicant tracking bugs for this issue:

Affects: fedora-all [bug 2293095]
Comment 6 Peter Robinson 2024-06-19 18:06:09 UTC 
(In reply to Anten Skrabec from comment #2)
> public at following link, remove embargo:
> https://www.top10vpn.com/research/wifi-vulnerability-ssid/

Looking at this I would expect this to cover the linux kernel plus userspace.

What wireless firmware are affected by this?

Also suspect you've missed iwd (similar to wpa_supplicant).
Comment 7 Anten Skrabec 2024-06-24 22:02:42 UTC 
Created iwd tracking bugs for this issue:

Affects: fedora-all [bug 2294016]
Comment 9 Denys Vlasenko 2024-06-25 10:01:21 UTC 
> Created linux-firmware tracking bugs

After reading the documentation on the CVE, the fix is likely to not be in wifi *firmware*, but in software (prefer / force WPA3 SAE-const mode instead of SAE-loop): IIRC these days authentication protocols are not delegated to firmware, as they evolve too quickly, and may need some CPU power to do elliptic curve math and such, thus host CPU is much more suitable location to handle it.