A man-in-the-middle vulnerability has been found in OpenBSD's wireless stack.
A malicious access point can trick an OpenBSD client using WPA1 or WPA2 into
connecting to this malicious AP instead of the desired AP. When this attack is
used successfully the OpenBSD client will send and accept unencrypted frames.
This problem only affects OpenBSD clients. OpenBSD access points are unaffected.
Thanks to Mathy Vanhoef <[hidden email]> for finding and
reporting the issue, providing a demo exploit and an initial patch, and
working through several iterations of the patch together with me.
The problem has been fixed in -current. For 5.9 and 6.0 the following errata
patches are available.