CVE-2023-52160

Vulnerability

The PEAP implementation in wpa_supplicant through version 2.10 contains an authentication bypass vulnerability (CVE-2023-52160). The issue resides in the eap_peap_decrypt function. When wpa_supplicant is configured to not verify the network's TLS certificate during Phase 1 authentication, an attacker can send an EAP-TLV Success packet instead of proceeding to Phase 2 authentication. This causes wpa_supplicant to skip Phase 2 PEAP authentication entirely. wpa_supplicant is the default Wi-Fi client software in Android devices and is also widely used in Linux and ChromeOS systems [1].

Exploitation

An attacker must be within radio range of a victim device running a vulnerable version of wpa_supplicant (2.10 or earlier) that is configured with TLS certificate verification disabled during Phase 1. The attacker can set up a rogue Enterprise Wi-Fi access point impersonating a legitimate network. When the victim attempts to connect, the attacker sends a crafted EAP-TLV Success packet during the PEAP handshake. This exploits the eap_peap_decrypt vulnerability to bypass the second authentication phase, allowing the attacker to complete the handshake without valid credentials [1].

Impact

Successful exploitation allows an adversary to impersonate a legitimate Enterprise Wi-Fi network and gain access to the victim's network traffic. The attacker can intercept, modify, or redirect data exchanged by the victim, leading to potential information disclosure, credential theft, or further attacks. No special privileges beyond proximity are required, and the attack does not depend on user interaction beyond the victim attempting to connect to the network [1].

## Mitigation wpa_supplicant version 2.10 is the last affected version. The vulnerability is fixed in wpa_supplicant 2.11. Users should update to 2.11 or later. As a workaround, users can ensure that TLS certificate verification is enabled during Phase 1 authentication for Enterprise Wi-Fi networks. No known KEV listing exists at this time [1].