CVE-2022-37660
First published: Tue Feb 11 2025(Updated: )
In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public keys, re-using the encrypting element Qi and subtracting it from the captured message M (X = M - Qi). This will result in the public ephemeral key X; the only element required to subvert the PKEX association.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| w1.fi hostapd | <=2.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-37660?
CVE-2022-37660 has a medium severity level as it allows attackers to potentially subvert secure bootstrapping processes.
How do I fix CVE-2022-37660?
To fix CVE-2022-37660, upgrade hostapd to version 2.11 or later which addresses this vulnerability.
How does CVE-2022-37660 impact hostapd users?
CVE-2022-37660 allows an attacker to reuse previously bootstrapped public keys, compromising security in communications.
Is CVE-2022-37660 still a concern if I use a later version of hostapd?
No, CVE-2022-37660 is not a concern for users who upgrade to hostapd version 2.11 or newer.
What type of attacks can CVE-2022-37660 facilitate?
CVE-2022-37660 can facilitate man-in-the-middle attacks by enabling attackers to subvert secure PKEX associations.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/first-publish-date
- agent/type
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/source
- agent/author
- agent/tags
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/event
- vendor/hostapd
- canonical/w1.fi hostapd