Cybersecurity researchers have identified two authentication bypass flaws in open source Wi-Fi software present in Android, Linux, and ChromeOS devices that could trick users into joining a malicious clone of a legitimate network or enable an attacker to join a reliable network without password.
The vulnerabilities, tracked as CVE-2023-52160 and CVE-2023-52161, were discovered following a security assessment of Intel’s wpa_supplicant and iNet Wireless Daemon (IWD), respectively.
The flaws “allow attackers to trick victims into connecting to malicious clones of trusted networks and intercept their traffic and join otherwise secure networks without needing the password,” Top10VPN said in new research conducted in collaboration with Mathy Vanhoef, who Previously discovered Wi-Fi attacks such as KRACK, DragonBlood and TunnelCrack.
CVE-2023-52161, in particular, allows an adversary to gain unauthorized access to a protected Wi-Fi network, exposing existing users and devices to potential attacks such as malware infections, data theft, and email compromise corporate (BEC). Affects IWD versions 2.12 and earlier.
On the other hand, CVE-2023-52160 affects wpa_supplicant versions 2.10 and earlier. It is also the more serious of the two flaws because it is the default software used in Android devices to handle requests to access wireless networks.
That said, it only affects Wi-Fi clients that are not properly configured to verify the authentication server certificate. CVE-2023-52161, however, affects any network that uses a Linux device as a wireless access point (WAP).
Successful exploitation of CVE-2023-52160 banks provided the attacker has the SSID of a Wi-Fi network to which the victim has previously connected. It also requires the threat actor to be physically close to the victim.
“One such possible scenario could be where an attacker roams a company building looking for networks before targeting an employee leaving the office,” the researchers said.
Major Linux distributions such as Debian (1, 2), Red Hat (1), SUSE (1, 2), and Ubuntu (1, 2) have released warnings for the two flaws. The wpa_supplicant issue has also been fixed in ChromeOS from versions 118 and later, but fixes for Android have yet to be made available.
“In the meantime, it is therefore crucial that Android users manually configure the CA certificate of any saved corporate network to prevent the attack,” Top10VPN said.