---
Wireless security is always evolving, but sometimes past bugs lay the foundation for new attacks. CVE-2022-23304 is one such issue; it affects both hostapd and wpa_supplicant—core building blocks of Wi-Fi authentication used in millions of routers, phones, and laptops. This vulnerability allows a savvy attacker to exploit the way these applications handle passwords during authentication, leaking secrets through processor cache behavior (a form of _side-channel attack_). Let’s break down what happened, what was missed in an earlier fix, and how an attacker could exploit this bug.

EAP-pwd, the Protocol at the Center

EAP-pwd is a protocol that securely authenticates users with their passwords during Wi-Fi connection. hostapd and wpa_supplicant both implement this protocol to provide WPA and WPA2 Enterprise support.

wpa_supplicant: The software that lets devices connect securely to Wi-Fi.

The security of EAP-pwd relies on never exposing bits of the password, even indirectly.

The Problem: Cache-based Side-Channel Attack

CVE-2022-23304 is what’s called a _side-channel vulnerability_. Instead of directly guessing your password, an attacker carefully watches how a system’s CPU cache is accessed during authentication. Subtle differences in memory access patterns can reveal information about the mathematical operations being performed with the user's password.

Crucially, this bug is a _partial repeat_ of an older issue: CVE-2019-9495. The earlier patch was incomplete—while it tried to standardize certain cryptographic operations, it still left behind cache-access quirks attackers could exploit.

How the Attack Works: Step by Step

1. Preparation: The attacker observes the authentication process either from the same machine (on a multi-user system) or through virtualized/cloud environments sharing hardware.
2. Trigger EAP-pwd Exchange: The attacker triggers or passively observes several EAP-pwd authentications.
3. Spy on the Cache: Using known methods like _Flush+Reload_ or _Prime+Probe_, the attacker carefully observes memory access patterns related to password processing.
4. Infer Password Bits: By analyzing which code paths or memory lookups are accessed, the attacker can gradually reconstruct the password or key.

No special privileges are required besides having some way to observe the system during authentication, which is feasible in many multi-user or cloud environments.

The Vulnerable Code (Simplified)

Here’s a simplified snippet inspired by typical issues:  
(_For illustration: actual vulnerable code may vary, but the pattern is similar_)  

int compute_password_element(const uint8_t *password, size_t len) {
    int x = , i;
    for (i = ; i < len; i++) {
        if (password[i] & 1) // <-- Cache access pattern depends on secret data
            x += expensive_crypto[i];
        else
            x -= expensive_crypto[i];
    }
    return x;
}


The problem:

A secure (constant time) version would avoid data-dependent branches

int compute_password_element(const uint8_t *password, size_t len) {
    int x = , i;
    for (i = ; i < len; i++) {
        // Avoid if-else by always performing both calculations and using bitwise tricks:
        x += ((-(password[i]&1)) & expensive_crypto[i]);
        x -= ((~-(password[i]&1)) & expensive_crypto[i]);
    }
    return x;
}

Sample Exploit Approach

An attacker might use the widely known Flush+Reload technique like this (concept overview):

1. Map victim process’s memory and find function or data used differently depending on the password bit.
2. Flush cache lines related to this function/data before authentication starts.

Sample pseudo-Python code

# Pseudo-steps for Flush+Reload (not real exploit)
flush(memory_line)
wait_for_auth()
if reload(memory_line) is fast:
    print("Line was accessed! Password bit may be 1.")
else:
    print("Line not accessed. Password bit may be .")

The Fix – Constant-Time Crypto

After disclosure, maintainers patched both projects. hostapd and wpa_supplicant v2.10 and above implement password processing and cryptographic operations in constant time—no matter what the password is, the cache is accessed the same way each run, foiling side-channel attacks.

Reference commit:  
- hostapd commit message (2022 fix)

How to Protect Yourself

- Update hostapd and wpa_supplicant to 2.10+ on all devices, especially Wi-Fi routers and Linux computers.
- Patch regularly! Even tiny, invisible bugs like this can be chained with other vulnerabilities for big attacks.
- If you run Wi-Fi in shared or cloud environments: assume past handshakes may have leaked info and rotate passwords/keys.

- CVE-2022-23304 MITRE Entry
- hostapd Security Announce
- Original fix for CVE-2019-9495
- Flush+Reload Attack Explanation (Wikipedia)

Conclusion

While not as headline-grabbing as remote code execution, CVE-2022-23304 is a real risk for environments where attackers can closely monitor your authentication process. If you use Wi-Fi in any business, education, or tech setting, make sure your authentication backends (hostapd/wpa_supplicant) are up to date. And remember: cryptographic code that isn’t constant-time is just waiting for a new side-channel exploit.

Timeline

Published on: 01/17/2022 02:15:00 UTC
Last modified on: 02/28/2022 22:07:00 UTC