Possible vulnerability: SSID Confusion Attack (CVE-2023-52424)



Can anyone confirm Gl.iNet is affected and, if appliable, if there is a mitigation option for affected setups?

Yup, should be vulnerable in WPA3 mode, as discussed here:

It depends on which WPA3 mode is active, can't tell - guess it might be included in the Wi-Fi driver.
Some GL staff need to take a look into it. @alzhao

It is an issue in the whole ieee802.11 standard, so if GL-iNet would 'fix' it, the risk is high it would be incompatible to other WLAN devices.

If you read the text from Professor Mathy Vanhoef, he suggests the simple solution for home networks: Switch back to WPA2.
(I've got it as PDF, don't know if the document is classified, so I can't share a source. Sorry for that)

In enterprise environments it is more difficult, but I don't think we need discuss this here.

This should be the PDF I guess?

Yeah, this is the base. But I got some additional side notes. I can't see the origin on my mobile PDF viewer.

Thanks for the link.