CVE-2023-52160: 
NixOS vulnerability analysis and mitigation

CVE-2023-52160 is a vulnerability in the implementation of PEAP (Protected Extensible Authentication Protocol) in wpa_supplicant through version 2.10. The vulnerability was discovered in 2023 and publicly disclosed in February 2024. The vulnerability affects Android devices, Linux distributions using the default WiFi client, and ChromeOS devices. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, after which an eap_peap_decrypt vulnerability can be exploited to skip Phase 2 authentication (NVD, Top10VPN).

The vulnerability stems from a flaw in the PEAP implementation where an attacker can bypass authentication by sending an EAP-TLV Success packet instead of starting Phase 2 authentication. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The issue specifically affects the authentication process in Enterprise WiFi networks when the client is not properly configured to verify the authentication server's certificate (NVD, Hostap Commit).

The vulnerability allows an adversary to impersonate Enterprise Wi-Fi networks and potentially intercept network traffic. This is particularly concerning given that it affects approximately 2.3 billion Android users worldwide, as well as Linux and ChromeOS devices. When successfully exploited, an attacker can trick victims into connecting to malicious clones of trusted networks and subsequently intercept their traffic (Top10VPN).

The vulnerability has been patched in various distributions and platforms. ChromeOS users can update to version 118 or later. Linux users need to ensure their distribution provides a patched version of wpa_supplicant. Android users must wait for security updates that include the wpa_supplicant patch. In the meantime, users should manually configure the CA certificate of saved Enterprise networks, use the CAT tool for eduroam connections, and consider using Trust-on-First-Use (TOFU) on latest Android devices. Additional recommendations include cleaning up unused WPA2/3 enterprise networks and disabling automatic reconnection for regularly used networks (Top10VPN).