CVE-2022-23303
📋 TL;DR
CVE-2022-23303 is a side-channel vulnerability in SAE (Simultaneous Authentication of Equals) implementations in hostapd and wpa_supplicant that allows attackers to recover Wi-Fi passwords by analyzing cache access patterns during authentication. This affects systems using WPA3 or WPA2 with SAE authentication. The vulnerability results from an incomplete fix for CVE-2019-9494.
💻 Affected Systems
- hostapd
- wpa_supplicant
📦 What is this software?
Fedora by Fedoraproject
Hostapd by W1.fi
⚠️ Risk & Real-World Impact
Worst Case
Attackers within Wi-Fi range can recover network passwords, gaining unauthorized access to encrypted Wi-Fi networks and potentially intercepting sensitive communications.
Likely Case
Local attackers with physical proximity to target networks can capture authentication handshakes and perform offline analysis to recover passwords over time.
If Mitigated
With proper patching and network segmentation, impact is limited to isolated Wi-Fi segments with no access to critical systems.
🎯 Exploit Status
Exploitation requires capturing authentication handshakes and performing timing analysis. Tools exist for similar side-channel attacks on Wi-Fi.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: hostapd 2.10+, wpa_supplicant 2.10+
Vendor Advisory: https://w1.fi/security/2022-1/
Restart Required: Yes
Instructions:
1. Update hostapd and wpa_supplicant packages to version 2.10 or later. 2. Restart affected services. 3. For embedded systems, update firmware from vendor.
🔧 Temporary Workarounds
Disable SAE authentication
linuxTemporarily disable SAE/WPA3 and use WPA2 with traditional PSK authentication
Edit /etc/hostapd/hostapd.conf and set wpa_key_mgmt=WPA-PSK
Edit /etc/wpa_supplicant/wpa_supplicant.conf and use WPA2-PSK
🧯 If You Can't Patch
- Segment Wi-Fi networks from critical systems using firewalls and VLANs
- Implement certificate-based authentication (WPA3-Enterprise) instead of SAE
🔍 How to Verify
Check if Vulnerable:
Check installed versions: hostapd --version && wpa_supplicant --versionCheck Version:
hostapd --version 2>/dev/null || echo 'hostapd not installed'; wpa_supplicant --version 2>/dev/null || echo 'wpa_supplicant not installed'Verify Fix Applied:
Verify versions are 2.10 or higher and check that SAE authentication still works properly📡 Detection & Monitoring
Log Indicators:
- Multiple failed SAE authentication attempts
- Unusual timing patterns in authentication logs
Network Indicators:
- Excessive SAE handshake captures
- Unusual devices attempting SAE authentication
SIEM Query:
source="hostapd.log" AND "SAE" AND ("failed" OR "timing")🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPDHU5MV464CZBPX7N2SNMUYP6DFIBZL/
- https://security.gentoo.org/glsa/202309-16
- https://w1.fi/security/2022-1/
- https://lists.debian.org/debian-lts-announce/2025/04/msg00019.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPDHU5MV464CZBPX7N2SNMUYP6DFIBZL/
- https://security.gentoo.org/glsa/202309-16
- https://w1.fi/security/2022-1/
