A security update has been released for the WPA package in Debian GNU/Linux 10 (Buster) Extended LTS, identified as ELA-1419-1. This update addresses multiple vulnerabilities in the WPA tools, particularly affecting the widely-used wpasupplicant client, which is crucial for authenticating with WPA and WPA2 wireless networks.
The vulnerabilities addressed in this update include:
1. CVE-2022-23303: This vulnerability affects the implementation of the Simultaneous Authentication of Equals (SAE) in hostapd, making it susceptible to side-channel attacks due to how cache access patterns are handled.
2. CVE-2022-23304: Similar to the previous issue, this vulnerability pertains to the Extensible Authentication Protocol (EAP) with password (EAP-pwd) implementations, which are also vulnerable to side-channel attacks resulting from cache access patterns.
3. CVE-2022-37660: This issue involves the PKEX (Public Key Exchange) code, which remains active even after a successful PKEX association. An attacker who previously bootstrapped public keys with another entity using PKEX could exploit this vulnerability to undermine future bootstrapping processes by passively observing the public keys.
To secure systems running Debian 10, it is essential to apply this update promptly. Users are encouraged to keep their systems up-to-date to mitigate risks associated with these vulnerabilities and ensure the integrity of their wireless network communications.
In addition to this update, it is advisable for users to regularly review security advisories and consider implementing best practices for network security, such as using strong passwords, enabling two-factor authentication where possible, and ensuring that software and firmware are kept current
The vulnerabilities addressed in this update include:
1. CVE-2022-23303: This vulnerability affects the implementation of the Simultaneous Authentication of Equals (SAE) in hostapd, making it susceptible to side-channel attacks due to how cache access patterns are handled.
2. CVE-2022-23304: Similar to the previous issue, this vulnerability pertains to the Extensible Authentication Protocol (EAP) with password (EAP-pwd) implementations, which are also vulnerable to side-channel attacks resulting from cache access patterns.
3. CVE-2022-37660: This issue involves the PKEX (Public Key Exchange) code, which remains active even after a successful PKEX association. An attacker who previously bootstrapped public keys with another entity using PKEX could exploit this vulnerability to undermine future bootstrapping processes by passively observing the public keys.
To secure systems running Debian 10, it is essential to apply this update promptly. Users are encouraged to keep their systems up-to-date to mitigate risks associated with these vulnerabilities and ensure the integrity of their wireless network communications.
In addition to this update, it is advisable for users to regularly review security advisories and consider implementing best practices for network security, such as using strong passwords, enabling two-factor authentication where possible, and ensuring that software and firmware are kept current
WPA Security Update for Debian 10 ELTS
A WPA security update has been issued for Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1419-1 wpa security update
