WPA2 wifi open to key reinstallation attacks

[souleau]

https://www.krackattacks.com/

From the article:

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

[belham2]

https://www.krackattacks.com/

From the article:

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

There's nothing to make a Monday super cheerful than to read this line:

"...our key reinstallation attack is exceptionally devastating against Linux.....specifically catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux"

Jeez, do we even use 'wpa_supplicant' in pups, ddogs and fatdogs? I'm assuming we do, as I've had a check across various pups/fatdogs and in /etc/ there is a folder called "wpa_supplicant" and in /usr/bin there's the "wpa_passphrase". But which version is it of wpa_supplicant in our pups? Maybe it's too old (lol) to worry about this article, or.....what? I'll wait for the murga experts here to say what's what before I delete any and all that has to do with wifi in pups/ddogs/fatdogs.


What's really crappy about this article is these guys are presenting their research paper behind the attack, titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, at the Computer and Communications Security (CCS) conference on Wednesday 1 November 2017. Can't these so-called whitehatters stay mum for a few months while they contact---which in this case is darn near every mftr & OS builder on the planet---to give them some time to rectify this?

[perdido]

belham2, just type

Code: Select all

wpa_supplicant -v

from console and you will get version info.

EDIT
-------------------------
Some wpa-supplicant version info from what I have installed
Puppy Precise
wpa_supplicant v0.7.3

Puppy Tahr 6.0.5
wpa_supplicant v2.1

Puppy Xenial 7.0.4
wpa_supplicant v2.4

Puppy Xenial-64 7.0.7
wpa_supplicant v2.4

stretch beta pups
wpa_supplicant v2.4

.


.

[belham2]

belham2, just type

Code: Select all

wpa_supplicant -v

from console and you will get version info.

.

Doggone it, perdido, quit telling me how to find out!

[prehistoric]

Also described on Ars Technica.

From a message sent to others:

This is an example of the insane state of the art in IT security. I took a break from reading security material while sorting books to donate to the Friends of the Library book sale, and this came out when I wasn't looking.

How can anyone be secure under these conditions?

Besides Puppy, this opens all kinds of systems to eavesdropping that can expose passwords to just about anything. We ought to be using 2FA based on external tamper-proof devices like the Yubikey everywhere.

Please post some kind of solution or workaround to these problems when it becomes available, if not here, then somewhere prominent -- even if the solution does not apply to Puppy.

The thing that grates on my nerves is that the preferred solution will be to buy new devices -- when they become available. This means that the companies that created the problem will profit from it. Don't expect any long-term fix while this keeps happening.

[souleau]

Here are the Debian security updates for WPA packages.

https://www.debian.org/security/2017/dsa-3999

So far it seems only Jessie and Stretch are fixed.

[belham2]

Wow, you know this is major when it hits the front page news of sites like Yahoo (and New York Times, Washington Post, etc, etc):

https://finance.yahoo.com/news/research ... 49669.html


Me thinks we better worry about this one.

[souleau]

Here are the hostapd and wpa_supplicant security patches:

https://w1.fi/security/2017-1/

[vovchik]

Dear souleau,

Thanks for the info. If anybody has info about patches/firmware updates for WIFI routers (D-Link, Netgear, etc.), please also post, since these are the most vulnerable devices, as I understand it.

With kind regards,
vovchik

[belham2]

Dear souleau,

Thanks for the info. If anybody has info about patches/firmware updates for WIFI routers (D-Link, Netgear, etc.), please also post, since these are the most vulnerable devices, as I understand it.

With kind regards,
vovchik

Hi vovchik,

Here's a list of the vendors affected, when they were notified, and if & when they've released upgrade/patches for these 11 CVEs. Hope this helps....

http://www.kb.cert.org/vuls/byvendor?se ... rchOrder=4

[8Geee]

Uncle Slacky not yet patched. Original slacko5.7 is v.1.0 with update to 2.4.

Looking at the w1-fi site we are all looking at an OS-side release of wpa_supplicant v.2.7 with full implementation (includes some future-proofing).

Regards
8Geee

PS: belham2... it appears some vendors and builders WERE told about this vunerability at the end of August. That includes Debian and Slackware. The makers of the chiip in the netbooks 2008-10 was also made aware. The maker of my home router/modem was NOT told until today. In fact a lot of the CATV supplied hm/r's were only told today.

[vovchik]

Dear belham2,

Thanks for that list. It's precisely what I was looking for.

With kind regards,
vovchik

[belham2]

Here's a better explanation on this problem and what is really involved. It seems, from the look of things, HTTPS already provides protection in that most sensitive communications that might be intercepted, such as interactions with your financial institution or browsing email, are likely already protected end-to-end with Secure Sockets Layer (SSL) encryption that is separate from any encryption added by WPA2.

https://krebsonsecurity.com/2017/10/wha ... -weakness/


This doesn't mean devices and/or OSes don't have to be patched. They do, especially (as Volchik noted) wireless routers and/or wireless APs.

Still, it's nice to know SSL (HTTPS) is a different encryption layer than WPA2, thus affording some wireless protection.

Begs the question we've had on here before, and which we are not getting an answer from Flash (in contacting John Murga, like asked): why isn't this forum setup to "https", especially given the amount of attachments and scripts that are downloaded from it? Flash, is John Murga still alive? It's been a few weeks since we asked this in another thread. Nearly every Linux forum I am member of went to https quite awhile ago. The murga site is one of the lone holdouts. This is NOT a financial issue, as I discussed in the other thread. This is a question of whether the will is there to do it, or whether it is just not cared about.

[prehistoric]

For those with older routers that may be affected, but will probably not get new firmware from the vendor, you may want to install firmware for an open-source router like DD-WRT or Tomato.

So far, I have not seen patches for these, but with source code available for Debian patches these might be fixed before anyone at, say, Cisco gets around to it. Patching the router will protect those devices connecting to it via WiFi, even if they remain vulnerable elsewhere.

Correction: here's a patch for DD-WRT. Obviously, this needs testing.

Patching your home wireless router will protect you in one environment where you spend a lot of time even if the device you are using, like an Android tablet, is vulnerable. Only allow connection with devices you know are patched. With safe WiFi at home and office you may be able to get by until everything else catches up.

It seems Apple is ahead of this game with recent iOS and MacOS.

MicroSoft also released an update on October 10 to fix this.

[jd7654]

...Patching the router will protect those devices connecting to it via WiFi, even if they remain vulnerable elsewhere.

Patching the router won't fix the problem. This is currently a client side exploit mainly, so all the clients/OSs need to be patched as a priority. The router/AP needs to be updated too, if it is used as a client/bridge, or if a later exploit is discovered on lesser vulnerability. Many routers, webcams and IoT may never get updates though.

Here's a link with a list of updates:
https://github.com/kristate/krackinfo

I already updated my various Linux distros with available patches: Arch, Fedora, Debian. Also downloaded Windows 7 update rollup.(Win10 is automatic) No fix for my Android Phone so doing recommended of switching back to LTE instead of WiFi for now. Amazon Kindle no fix yet.

Mint and Ubuntu LTS updated, and corresponding Puppy Tahr/Xenial can be updated with the same Ubuntu patches:
https://usn.ubuntu.com/usn/usn-3455-1/

Still waiting on Slackware, or have to roll your own.

[ozsouth]

For Slackware64, I have wpa_supplicant v2.0. It has its own vulns, but would it be better until v2.7 arrives?

[belham2]

...Patching the router will protect those devices connecting to it via WiFi, even if they remain vulnerable elsewhere.

Patching the router won't fix the problem. This is currently a client side exploit mainly, so all the clients/OSs need to be patched as a priority. The router/AP needs to be updated too, if it is used as a client/bridge, or if a later exploit is discovered on lesser vulnerability. Many routers, webcams and IoT may never get updates though.

Here's a link with a list of updates:
https://github.com/kristate/krackinfo

I already updated my various Linux distros with available patches: Arch, Fedora, Debian. Also downloaded Windows 7 update rollup.(Win10 is automatic) No fix for my Android Phone so doing recommended of switching back to LTE instead of WiFi for now. Amazon Kindle no fix yet.

Mint and Ubuntu LTS updated, and corresponding Puppy Tahr/Xenial can be updated with the same Ubuntu patches:
https://usn.ubuntu.com/usn/usn-3455-1/

Still waiting on Slackware, or have to roll your own.

Hi jd7654,

You lost me a bit (the bold, underlined above).

A neighbor friend has a combo DSL-ethernet modem/router from his DSL provider where the wifi is turned off. From behind it, sits another ethernet-connected router that is nothing more than a dumb ethernet/wifi (WPA2) Access Point. Are you saying it doesn't matter to patch this Access Point, because first you say "patching won't fix the router..." then in the next sentence "..the router/AP needs to be updated too...." His ISP pushed out updates to that main router already.

I don't know what to tell him.....like his ISP, my router mftr already pushed stuff out yesterday when I checked, so I updated the firmware to take care of just the router concerning this.

But with him, should I tell him to worry about all the ehternet/wifi OSes & gadgets he has (connected to the AP) in the house first and worry about the AP itself later? Or focus on getting his AP behind the already updated main router updated first, then all the computers/gadgets afterwards???

Thanks for any advice/tips....

[jd7654]

...You lost me a bit (the bold, underlined above).
...
But with him, should I tell him to worry about all the ehternet/wifi OSes & gadgets he has (connected to the AP) in the house first and worry about the AP itself later?

Yeah, worry about the wireless clients first.

It's still early, since the exploit just got published yesterday, lots of confusion.(although vendors knew months ago...) Gotta dig through the reports, but it's there. There are multiple vulnerabilities exposed with this new attack vector, but most of the exposure is to the client.

My AP vendor TP-Link still hasn't pushed out any fixes yet, but only said this:
"The publisher also points out that, the main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates."

Lots of AP vendor information is vague or misleading, leaving people to think that the fix to the AP fixes the vulnerability. I found one vendor Meraki That explained that little fact better:
"If I upgrade to MR24-11/MR25-7, will I be protected from all 10 security vulnerabilities?
No, the fix protects devices from the 802.11r vulnerability. For all other vulnerabilities, as mentioned in the table above, the client is under attack and hence cannot be protected by the AP. "

So basically, patching your router/AP may fix only 1 out of 10 vulnerabilities. The client has all the other 9 more severe vulnerabilities.

[8Geee]

Slacko5.7 is between a rock and a hard place.
The default is wpa_supplicant v. 1.0
Upgrade is to v. 2.4... pick your poison.

I did a cursory search of the Slackware Security advisories rom late 2014 to find the v. 2.3.
Unfortuneately Uncle Slacky says only the most recent upgrade is allowed. So much for the end-around.

Regards
8Geee

[fabrice_035]

I have upgrade wpa_supplicant from tahrpup to version 2.4 (look here in french http://www.murga-linux.com/puppy/viewtopic.php?t=111840)

The strange situation is if you try to get last version of wpa_supplicant you can't see if it patched with -v option because the version is same after patch

Explain it to me