Is OpenWRT affected by CVE-2022-23303 SAE / CVE-2022-23304 EAP-pwd?

Hi there,

I'm just asking which versions of OpenWRT are affected by CVE-2022-23303 and/or CVE-2022-23304?


Running OpenWRT 19.07.8 I only have hostapd installed, but version says 2019-08-08-ca8c2bd2-7 so I guess it is affected?

wpa_supplicant is available as optional package, but I guess it is affected too?

Will there be a hotfix?

Thanks in advance for any info.

In package list on homepage there is a newer version. But the version number doesn’t make any sense. The cve say version 2.10 but the real hostapd package version is a date?

OpenWrt builds hostapd from git, so the version number is "weird":

OK, so we have to find out, when "2.10" was released to know, if the version we are using is affected or not.

Any info appreciated, I will start my research.

EDIT: OK this was pretty easy:

2.10 = stable release from 16th of January 2022.

So every version of hostapd and wpa_supplicant in stable OpenWRT releases up to 21.02.1 is affected.

So will there be a patch? If yes, how to apply?

Usually in the form of 21.02.2.

hostapd in the master branch has been updated:

Thank you very much, now for OpenWRT "endusers":
Is there an easy way to apply? Does the package need a build system to get the updated version?

Soon to be released OpenWrt 21.02.2 has those fixes.


The vulnerability only affects dictionary attack vulnerable passwords as per my understanding