Side-Channel Vulnerability in hostapd and wpa_supplicant
CVE-2022-23304

9.8CRITICAL

Key Information:

Vendor

W1.fi

Status
Hostapd
WPa Supplicant
Vendor
CVE Published:
17 January 2022

What is CVE-2022-23304?

The implementations of EAP-pwd in hostapd and wpa_supplicant prior to version 2.10 are exposed to potential side-channel attacks due to predictable cache access patterns. This vulnerability arises from an incomplete fix for a prior issue, CVE-2019-9495, highlighting the importance of comprehensive security measures in network applications.

References

https://w1.fi/security/2022-1/
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://security.gentoo.org/glsa/202309-16
vendor-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.