Hi there,
I'm just asking which versions of OpenWRT are affected by CVE-2022-23303 and/or CVE-2022-23304?
Source:
https://w1.fi/security/2022-1/
Running OpenWRT 19.07.8 I only have hostapd installed, but version says 2019-08-08-ca8c2bd2-7 so I guess it is affected?
wpa_supplicant is available as optional package, but I guess it is affected too?
Will there be a hotfix?
Thanks in advance for any info.
In package list on homepage there is a newer version. But the version number doesn’t make any sense. The cve say version 2.10 but the real hostapd package version is a date?
Ityns
January 31, 2022, 2:14pm
3
OpenWrt builds hostapd from git, so the version number is "weird":
OK, so we have to find out, when "2.10" was released to know, if the version we are using is affected or not.
Any info appreciated, I will start my research.
EDIT: OK this was pretty easy:
http://w1.fi/releases.html
2.10 = stable release from 16th of January 2022.
So every version of hostapd and wpa_supplicant in stable OpenWRT releases up to 21.02.1 is affected.
So will there be a patch? If yes, how to apply?
Usually in the form of 21.02.2.
Ityns
February 8, 2022, 10:37am
6
hostapd in the master branch has been updated:
committed 07:57PM - 17 Jan 22 UTC
Upstreamed patches:
020-mesh-make-forwarding-configurable.patch
e6db1bc5da3fd7d5… f4dba24aa102543b4749912f
550-WNM-allow-specifying-dialog-token.patch
979f19716539362f8ce60a77bf1b88fdcf5ba8e5
720-ACS-fix-channel-100-frequency.patch
2341585c349231af00cdef8d51458df01bc6965f
741-proxyarp-fix-compilation-with-Hotspot-2.0-disabled.patch
08bdf4f90de61a84ed8f4dd918272dd9d36e2e1f
Compile-tested: wpad-wolfssl hostapd-openssl
Run-tested: ath79-generic
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
Thank you very much, now for OpenWRT "endusers":
Is there an easy way to apply? Does the package need a build system to get the updated version?
Ityns
February 18, 2022, 6:23pm
8
committed 07:37PM - 12 Feb 22 UTC
This fixes some recent security problems in hostapd.
See here for details: https… ://w1.fi/security/2022-1
* CVE-2022-23303
* CVE-2022-23304
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Soon to be released OpenWrt 21.02.2 has those fixes.
2 Likes
tankwrt
February 18, 2022, 7:52pm
9
The vulnerability only affects dictionary attack vulnerable passwords as per my understanding