Home / Threat Intelligence bulletins / Wi-Fi vulnerabilities expose Android and Linux systems to threat actors

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Two authentication bypass vulnerabilities (tracked as CVE-2023-52160 and CVE-2023-52161) have been detected within open-source Wi-Fi software found in Android, Linux, and ChromeOS devices that has the potential to lure users into joining a malicious clone of a legitimate network or allow a threat actor to join a trusted network without requiring a password.

CVE-2023-52160 only impacts Wi-Fi clients that aren’t properly configured to verify the certificate of the authentication server whereas CVE-2023-52161 affects any network that uses a Linux device as a wireless access point (WAP).

Impact

Successful exploitation of CVE-2023-52161 would likely allow a threat actor to gain unauthorised access to a protected Wi-Fi network, resulting in the exposure of affected users and devices to attack vectors such as malware deployment, data theft, and business email compromise (BEC).

Successful exploitation of CVE-2023-52160 requires wpa_supplicant to be configured to not verify the network’s TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be leveraged to skip Phase 2 authentication. This allows an adversary to impersonate enterprise Wi-Fi networks.

Vulnerability Detection

Vendors of the affected products have released updated versions of each impacted product. Previous versions are therefore vulnerable to potential compromise.

Affected Products

CVE-2023-52161 impacts IWD versions 2.12 and lower

CVE-2023-52160 impacts wpa_supplicant versions 2.10 and prior

Containment, Mitigations, and Remediations

Linux distributions such as Debian, Red Hat, SUSE and Ubuntu have released advisories for the two vulnerabilities. The wpa_supplicant flaw has also been addressed in ChromeOS from versions 118 and later, but remediations for Android are yet to be disclosed. In the interim, it is strongly recommended that Android users manually configure the CA certificate of any saved enterprise networks to prevent compromise.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Mobile providers such as Android occupy a significant portion of the mobile operating system market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Android devices have become a prime target. Due to the fact that such mobile products have become an integral aspect of both personal and business operations, threat actors will continue to exploit vulnerabilities contained within the product in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Persistence Technique:

T1556 – Modify Authentication Process

Further Information

Top10 VPN Article