CVE-2022-37660

Name of the Vulnerable Software and Affected Versions hostapd versions 2.10 and earlier

Description The issue concerns the PKEX code remaining active even after a successful PKEX association. An attacker who has successfully bootstrapped public keys with another entity using PKEX in the past can subvert a future bootstrapping by passively observing public keys, reusing the encrypting element Qi, and subtracting it from the captured message M (X = M - Qi). This results in the public ephemeral key X, which is the only element required to subvert the PKEX association.

Recommendations For hostapd versions 2.10 and earlier, as a temporary workaround, consider disabling the PKEX code until a patch is available. Restrict access to the PKEX association to minimize the risk of exploitation. Avoid reusing the encrypting element Qi in the affected PKEX association until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.