Is OpenWRT affected by CVE-2022-23303 SAE / CVE-2022-23304 EAP-pwd?

bad_joker · January 31, 2022, 9:09am

Hi there,

I'm just asking which versions of OpenWRT are affected by CVE-2022-23303 and/or CVE-2022-23304?

Source:

https://w1.fi/security/2022-1/

Running OpenWRT 19.07.8 I only have hostapd installed, but version says 2019-08-08-ca8c2bd2-7 so I guess it is affected?

wpa_supplicant is available as optional package, but I guess it is affected too?

Will there be a hotfix?

Thanks in advance for any info.

flygarn12 · January 31, 2022, 10:27am

In package list on homepage there is a newer version. But the version number doesn’t make any sense. The cve say version 2.10 but the real hostapd package version is a date?

Ityns · January 31, 2022, 2:14pm

OpenWrt builds hostapd from git, so the version number is "weird":

github.com

openwrt/openwrt/blob/master/package/network/services/hostapd/Makefile

# SPDX-License-Identifier: GPL-2.0-only
#
# Copyright (C) 2006-2021 OpenWrt.org

include $(TOPDIR)/rules.mk

PKG_NAME:=hostapd
PKG_RELEASE:=$(AUTORELEASE)

PKG_SOURCE_URL:=http://w1.fi/hostap.git
PKG_SOURCE_PROTO:=git
PKG_SOURCE_DATE:=2021-05-22
PKG_SOURCE_VERSION:=b102f19bcc53c7f7db3951424d4d46709b4f1986
PKG_MIRROR_HASH:=cb3cb968883042fc582752be1607586696c18e6ecf9808c9a8ac50e204584367

PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
PKG_LICENSE:=BSD-3-Clause
PKG_CPE_ID:=cpe:/a:w1.fi:hostapd

PKG_BUILD_PARALLEL:=1

This file has been truncated. show original

bad_joker · January 31, 2022, 2:17pm

OK, so we have to find out, when "2.10" was released to know, if the version we are using is affected or not.

Any info appreciated, I will start my research.

EDIT: OK this was pretty easy:
http://w1.fi/releases.html

2.10 = stable release from 16th of January 2022.

So every version of hostapd and wpa_supplicant in stable OpenWRT releases up to 21.02.1 is affected.

So will there be a patch? If yes, how to apply?

flygarn12 · January 31, 2022, 3:51pm

Usually in the form of 21.02.2.

Ityns · February 8, 2022, 10:37am

hostapd in the master branch has been updated:

github.com/openwrt/openwrt

hostapd: update to v2.10

committed 07:57PM - 17 Jan 22 UTC

blocktrron

+57 -447

Upstreamed patches: 020-mesh-make-forwarding-configurable.patch e6db1bc5da3fd7d5…f4dba24aa102543b4749912f 550-WNM-allow-specifying-dialog-token.patch 979f19716539362f8ce60a77bf1b88fdcf5ba8e5 720-ACS-fix-channel-100-frequency.patch 2341585c349231af00cdef8d51458df01bc6965f 741-proxyarp-fix-compilation-with-Hotspot-2.0-disabled.patch 08bdf4f90de61a84ed8f4dd918272dd9d36e2e1f Compile-tested: wpad-wolfssl hostapd-openssl Run-tested: ath79-generic Signed-off-by: David Bauer <mail@david-bauer.net> Tested-by: Stijn Tintel <stijn@linux-ipv6.be>

bad_joker · February 8, 2022, 11:44am

Thank you very much, now for OpenWRT "endusers":
Is there an easy way to apply? Does the package need a build system to get the updated version?

Ityns · February 18, 2022, 6:23pm

Soon to be released OpenWrt 21.02.2 has those fixes.

tankwrt · February 18, 2022, 7:52pm

The vulnerability only affects dictionary attack vulnerable passwords as per my understanding