CVE-2022-37660: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-37660 is a security vulnerability affecting hostapd version 2.10 and earlier. The vulnerability was discovered in the Public Key Exchange (PKEX) code implementation, where the PKEX code remains active even after a successful PKEX association (Red Hat CVE).

The vulnerability exists in the PKEX code implementation where an attacker who has previously bootstrapped public keys with another entity using PKEX can subvert future bootstrapping attempts. This is achieved by passively observing public keys, re-using the encrypting element Qi, and subtracting it from the captured message M to obtain the public ephemeral key X. The vulnerability has been assigned a CVSS v3.1 score of 7.4 (High) with the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (Red Hat CVE).

The vulnerability enables an attacker with prior PKEX bootstrapping knowledge to passively extract the ephemeral public key (X) from a subsequent exchange, effectively bypassing authentication and subverting the DPP onboarding process. Since PKEX is designed for out-of-band authentication in secure provisioning scenarios, its compromise undermines the integrity of device onboarding, potentially leading to unauthorized network access or man-in-the-middle (MitM) attacks (Red Hat CVE).

A fix has been implemented in the hostapd codebase that deletes the PKEX code and identifier on successful completion of PKEX. The patch ensures that these elements cannot be reused without being explicitly requested to perform PKEX again (Hostap Commit).