CVE-2023-52424

The IEEE 802.11 standard sometimes enables an adversary to trick a victim into connecting to an unintended or untrusted network with Home WEP, Home WPA3 SAE-loop. Enterprise 802.1X/EAP, Mesh AMPE, or FILS, aka an "SSID Confusion" issue. This occurs because the SSID is not always used to derive the pairwise master key or session keys, and because there is not a protected exchange of an SSID during a 4-way handshake.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.5 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://mentor.ieee.org/802.11/dcn/24/11-24-0938-03-000m-protect-ssid-in-4-way-handshake.docx
https://www.top10vpn.com/assets/2024/05/Top10VPN-x-Vanhoef-SSID-Confusion.pdf
https://www.top10vpn.com/research/wifi-vulnerability-ssid/
https://www.wi-fi.org/news-events/press-releases

Configurations

No configuration.

History

29 Aug 2024, 20:35

Type	Values Removed	Values Added
CWE		CWE-304
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.4
Summary		(es) El estándar IEEE 802.11 a veces permite a un adversario engañar a una víctima para que se conecte a una red no deseada o no confiable con Home WEP, Home WPA3 SAE-loop. Enterprise 802.1X/EAP, Mesh AMPE o FILS, también conocido como un problema de "confusión de SSID". Esto ocurre porque el SSID no siempre se utiliza para derivar la clave maestra por pares o las claves de sesión, y porque no existe un intercambio protegido de un SSID durante un protocolo de enlace de 4 vías.

17 May 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-17 21:15

Updated : 2024-08-29 20:35

NVD link : CVE-2023-52424

Mitre link : CVE-2023-52424

CVE.ORG link : CVE-2023-52424

JSON object : View

Products Affected

No product.

CWE

CWE-304

Missing Critical Step in Authentication

7.4 /10