CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
35.7%
Debian LTS Advisory DLA-3743-1 [email protected]
https://www.debian.org/lts/security/ Chris Lamb
February 27, 2024 https://wiki.debian.org/LTS
Package : wpa
Version : 2:2.7+git20190128+0c1e29f-6+deb10u4
CVE ID : CVE-2023-52160
Debian Bug : 1064061
It was discovered that there was a potential authentication bypass
vulnerability in wpa, a set of tools including the widely-used
wpasupplicant client for authenticating with WPA and WPA2 wireless
networks.
For an attack to have been successful, wpasupplicant must have been
configured to not verify the network's TLS certificate during Phase 1
of the authentication cycle; a eap_peap_decrypt vulnerability could
have been used to skip Phase 2 authentication by sending an EAP-TLV
"Success" packet instead of starting Phase 2.
For Debian 10 buster, this problem has been fixed in version
2:2.7+git20190128+0c1e29f-6+deb10u4.
We recommend that you upgrade your wpa packages.
For the detailed security status of wpa please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wpa
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 11 | s390x | hostapd-dbgsym | < 2:2.9.0-21+deb11u1 | hostapd-dbgsym_2:2.9.0-21+deb11u1_s390x.deb |
Debian | 10 | i386 | wpasupplicant | < 2:2.7+git20190128+0c1e29f-6+deb10u4 | wpasupplicant_2:2.7+git20190128+0c1e29f-6+deb10u4_i386.deb |
Debian | 12 | i386 | eapoltest-dbgsym | < 2:2.10-12+deb12u1 | eapoltest-dbgsym_2:2.10-12+deb12u1_i386.deb |
Debian | 12 | ppc64el | wpasupplicant-dbgsym | < 2:2.10-12+deb12u1 | wpasupplicant-dbgsym_2:2.10-12+deb12u1_ppc64el.deb |
Debian | 11 | mips64el | eapoltest | < 2:2.9.0-21+deb11u1 | eapoltest_2:2.9.0-21+deb11u1_mips64el.deb |
Debian | 12 | mips64el | wpasupplicant-dbgsym | < 2:2.10-12+deb12u1 | wpasupplicant-dbgsym_2:2.10-12+deb12u1_mips64el.deb |
Debian | 12 | arm64 | libwpa-client-dev | < 2:2.10-12+deb12u1 | libwpa-client-dev_2:2.10-12+deb12u1_arm64.deb |
Debian | 10 | all | wpa | < 2:2.7+git20190128+0c1e29f-6+deb10u4 | wpa_2:2.7+git20190128+0c1e29f-6+deb10u4_all.deb |
Debian | 11 | mipsel | hostapd | < 2:2.9.0-21+deb11u1 | hostapd_2:2.9.0-21+deb11u1_mipsel.deb |
Debian | 11 | armel | wpasupplicant | < 2:2.9.0-21+deb11u1 | wpasupplicant_2:2.9.0-21+deb11u1_armel.deb |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
35.7%