Описание
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
A flaw was found in wpa_supplicant's implementation of PEAP. This issue may allow an attacker to skip the second phase of authentication when the target device has not been properly configured to verify the authentication server. By skipping the second phase of authentication, it’s easier for an attacker to create a rogue clone of a trusted WiFi network to trick the victim into connecting, all without knowing their password.
Отчет
While the flaw in wpa_supplicant's implementation of PEAP authentication represents a concerning security vulnerability, its classification as a moderate severity issue is based on several factors. Firstly, the attack requires specific prerequisites, including knowledge of the target SSID and the misconfiguration of wpa_supplicant on the victim's device, which somewhat limits its widespread exploitation. Additionally, the attack vector primarily targets Enterprise networks relying on PEAP authentication, narrowing its impact compared to more widely used authentication methods. Furthermore, while the ability to bypass Phase-2 authentication poses a risk of unauthorized network access and potential data exposure, it does not directly compromise the confidentiality or integrity of sensitive information.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | wpa_supplicant | Out of support scope | ||
| Red Hat Enterprise Linux 7 | wpa_supplicant | Out of support scope | ||
| Red Hat Enterprise Linux 8 | wpa_supplicant | Will not fix | ||
| Red Hat Enterprise Linux 9 | wpa_supplicant | Fixed | RHSA-2024:2517 | 30.04.2024 |
Показывать по
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
The implementation of PEAP in wpa_supplicant through 2.10 allows authe ...
6.5 Medium
CVSS3