FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Wi-Fi encryption bypass

Affected packages
13.2 <= FreeBSD-kernel < 13.2_3
12.4 <= FreeBSD-kernel < 12.4_5


VuXML ID 924cb116-4d35-11ee-8e38-002590c1f29c
Discovery 2023-09-06
Entry 2023-09-07

Problem Description:

The net80211 subsystem would fallback to the multicast key for unicast traffic in the event the unicast key was removed. This would result in buffered unicast traffic being exposed to any stations with access to the multicast key.


As described in the "Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues" paper, an attacker can induce an access point to buffer frames for a client, deauthenticate the client (causing the unicast key to be removed from the access point), and subsequent flushing of the buffered frames now encrypted with the multicast key. This would give the attacker access to the data.


CVE Name CVE-2022-47522
FreeBSD Advisory SA-23:11.wifi