In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public keys, re-using the encrypting element Qi and subtracting it from the captured message M (X = M - Qi). This will result in the public ephemeral key X; the only element required to subvert the PKEX association.
Weakness
Nonces should be used for the present occasion and only once.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Hostapd | W1.fi | * | 2.10 (including) |
| Wpa | Ubuntu | devel | * |
| Wpa | Ubuntu | esm-infra/focal | * |
| Wpa | Ubuntu | focal | * |
| Wpa | Ubuntu | jammy | * |
| Wpa | Ubuntu | noble | * |
| Wpa | Ubuntu | oracular | * |
| Wpa | Ubuntu | upstream | * |