External risk intelligence

hostapd and wpa_supplicant EAP-pwd Side-Channel Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-23304

This vulnerability affects hostapd and wpa_supplicant, which are local software components used to manage Wi-Fi authentication (EAP-pwd). These services operate at the link layer for local wireless network access, not as public-internet-facing services or gateways, and are typically restricted to the immediate physical or local network environment.

W1 Fi Hostapd

before 2.1035

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a vulnerability in certain Wi-Fi authentication software that could allow unauthorized access to sensitive information or systems if exploited. The issue stems from how the software handles user authentication data, making it susceptible to side-channel attacks. The primary concern is to confirm whether this specific software is in use within our environment.

  • Vulnerable Wi-Fi authentication software discovered.
  • Leadership should remember this for potential network access risks.
  • Confirm relevance and exposure to understand impact.

Attack Path

How an attacker could exploit the issue

An attacker could target devices running vulnerable versions of hostapd or wpa_supplicant by exploiting a weakness in how they handle EAP-pwd authentication. This vulnerability stems from how the software accesses cached information during the authentication process, potentially allowing an attacker to infer sensitive details. Successful exploitation could lead to significant compromise of confidentiality, integrity, and availability.

  • Requires network access.
  • Triggers during Wi-Fi authentication.
  • Leads to data theft and disruption.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could expose sensitive information about Wi-Fi authentication credentials when specific Wi-Fi protocols are used. The attack relies on observing cache access patterns during the authentication process.

  • Wi-Fi authentication credentials.
  • Cache access patterns during authentication.
  • Unauthorized network access.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts hostapd and wpa_supplicant, primarily managed by infrastructure or platform teams responsible for network services. The first practical step is to inventory systems running these components, assess their network exposure and business criticality, and identify the accountable system owners before planning remediation.

  • Infrastructure and platform teams own the issue.
  • Verify system exposure and business criticality.
  • Plan risk-based remediation with vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is hostapd and wpa_supplicant?

These are essential software components for Linux-based systems to handle Wi-Fi connectivity. hostapd allows a device to act as a wireless access point, while wpa_supplicant acts as the client that manages connections to those networks. They are fundamental tools for managing how devices authenticate and securely join wireless environments using protocols like EAP-pwd.

How does CVE-2022-23304 work?

This vulnerability is classified as CWE-203, which relates to Observable Discrepancy. It stems from how the software manages memory cache during the EAP-pwd authentication process. Because the time or pattern of cache access can change based on the data being processed, an observer could potentially infer sensitive authentication details by analyzing these side-channel patterns.

What triggers this side-channel vulnerability?

The vulnerability is triggered specifically during the EAP-pwd authentication exchange between a client and an access point. It does not trigger during standard data transmission or when using authentication methods other than EAP-pwd. An attacker must be in a position to observe the timing or cache interaction patterns while the authentication handshake is actively occurring.

Is my network at risk for CVE-2022-23304?

Halo Surface Signal indicates that this risk is very unlikely to affect public-facing services. Because these components operate at the link layer to manage local wireless authentication, they are typically not accessible from the public internet. The risk is primarily contained to the immediate physical or local network environment where Wi-Fi authentication is taking place.

What is the first step to address this?

The priority is to locate where these software versions are running in your environment. Infrastructure teams should inventory systems using hostapd or wpa_supplicant and check the version numbers. Once you have identified systems running versions older than 2.10, you can prioritize updates based on the business importance of those specific Wi-Fi-enabled devices.

References