USN-7317-1: wpa_supplicant and hostapd vulnerabilities

Releases

• Ubuntu 24.10
• Ubuntu 24.04 LTS
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS

Packages

• wpa - client support for WPA and WPA2

Details

George Chatzisofroniou and Panayiotis Kotzanikolaou discovered that
wpa_supplicant and hostapd reused encryption elements in the PKEX protocol.
An attacker could possibly use this issue to impersonate a wireless access
point, and obtain sensitive information. (CVE-2022-37660)

Daniel De Almeida Braga, Mohamed Sabt, and Pierre-Alain Fouque discovered
that wpa_supplicant and hostapd were vulnerable to side channel attacks due
to the cache access patterns. An attacker could possibly use this issue to
obtain sensitive information. This issue only affected Ubuntu 20.04 LTS.
(CVE-2022-23303, CVE-2022-23304)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 24.10

• hostapd - 2:2.10-22ubuntu0.1
• wpasupplicant - 2:2.10-22ubuntu0.1

Ubuntu 24.04

• hostapd - 2:2.10-21ubuntu0.2
• wpasupplicant - 2:2.10-21ubuntu0.2

Ubuntu 22.04

• hostapd - 2:2.10-6ubuntu2.2
• wpasupplicant - 2:2.10-6ubuntu2.2

Ubuntu 20.04

• hostapd - 2:2.9-1ubuntu4.6
• wpasupplicant - 2:2.9-1ubuntu4.6

In general, a standard system update will make all the necessary changes.

References

• CVE-2022-23303
• CVE-2022-23304
• CVE-2022-37660