Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Thu 23 Nov 2017, 14:59
All times are UTC - 4
 Forum index » Off-Topic Area » Security
WPA2 wifi open to key reinstallation attacks
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 3 [41 Posts]   Goto page: 1, 2, 3 Next
Author Message
souleau


Joined: 23 Oct 2016
Posts: 112

PostPosted: Mon 16 Oct 2017, 08:30    Post subject:  WPA2 wifi open to key reinstallation attacks
Subject description: works against ALL modern protected Wi-Fi networks
 

https://www.krackattacks.com/

From the article:

Quote:
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1305

PostPosted: Mon 16 Oct 2017, 09:02    Post subject: Re: WPA2 wifi open to key reinstallation attacks
Subject description: works against ALL modern protected Wi-Fi networks
 

souleau wrote:
https://www.krackattacks.com/

From the article:

Quote:
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.



There's nothing to make a Monday super cheerful than to read this line:

"...our key reinstallation attack is exceptionally devastating against Linux.....specifically catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux"


Jeez, do we even use 'wpa_supplicant' in pups, ddogs and fatdogs? I'm assuming we do, as I've had a check across various pups/fatdogs and in /etc/ there is a folder called "wpa_supplicant" and in /usr/bin there's the "wpa_passphrase". But which version is it of wpa_supplicant in our pups? Maybe it's too old (lol) to worry about this article, or.....what? I'll wait for the murga experts here to say what's what before I delete any and all that has to do with wifi in pups/ddogs/fatdogs.


What's really crappy about this article is these guys are presenting their research paper behind the attack, titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, at the Computer and Communications Security (CCS) conference on Wednesday 1 November 2017. Can't these so-called whitehatters stay mum for a few months while they contact---which in this case is darn near every mftr & OS builder on the planet---to give them some time to rectify this?
Back to top
View user's profile Send private message 
perdido


Joined: 09 Dec 2013
Posts: 696
Location: Altair IV , Just north of Eeyore Junction.

PostPosted: Mon 16 Oct 2017, 09:13    Post subject:  

belham2, just type
Code:
wpa_supplicant -v
from console and you will get version info.

EDIT
-------------------------
Some wpa-supplicant version info from what I have installed
Puppy Precise
wpa_supplicant v0.7.3

Puppy Tahr 6.0.5
wpa_supplicant v2.1

Puppy Xenial 7.0.4
wpa_supplicant v2.4

Puppy Xenial-64 7.0.7
wpa_supplicant v2.4

stretch beta pups
wpa_supplicant v2.4

.


.

Last edited by perdido on Mon 16 Oct 2017, 13:22; edited 1 time in total
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1305

PostPosted: Mon 16 Oct 2017, 09:22    Post subject:  

perdido wrote:
belham2, just type
Code:
wpa_supplicant -v
from console and you will get version info.

.



Doggone it, perdido, quit telling me how to find out! Laughing
ostrich.jpg
 Description   
 Filesize   35.93 KB
 Viewed   502 Time(s)

ostrich.jpg

Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1688

PostPosted: Mon 16 Oct 2017, 10:29    Post subject:  

Also described on Ars Technica.

From a message sent to others:

Quote:
This is an example of the insane state of the art in IT security. I took a break from reading security material while sorting books to donate to the Friends of the Library book sale, and this came out when I wasn't looking.

How can anyone be secure under these conditions?


Besides Puppy, this opens all kinds of systems to eavesdropping that can expose passwords to just about anything. We ought to be using 2FA based on external tamper-proof devices like the Yubikey everywhere.

Please post some kind of solution or workaround to these problems when it becomes available, if not here, then somewhere prominent -- even if the solution does not apply to Puppy.

The thing that grates on my nerves is that the preferred solution will be to buy new devices -- when they become available. This means that the companies that created the problem will profit from it. Don't expect any long-term fix while this keeps happening.
Back to top
View user's profile Send private message 
souleau


Joined: 23 Oct 2016
Posts: 112

PostPosted: Mon 16 Oct 2017, 11:09    Post subject:  

Here are the Debian security updates for WPA packages.

https://www.debian.org/security/2017/dsa-3999

So far it seems only Jessie and Stretch are fixed.
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1305

PostPosted: Mon 16 Oct 2017, 13:56    Post subject:  

Wow, you know this is major when it hits the front page news of sites like Yahoo (and New York Times, Washington Post, etc, etc):

https://finance.yahoo.com/news/researchers-uncover-flaw-makes-wi-fi-vulnerable-hacks-133349669.html


Me thinks we better worry about this one. Sad
Back to top
View user's profile Send private message 
souleau


Joined: 23 Oct 2016
Posts: 112

PostPosted: Mon 16 Oct 2017, 14:05    Post subject:  

Here are the hostapd and wpa_supplicant security patches:

https://w1.fi/security/2017-1/
Back to top
View user's profile Send private message 
vovchik


Joined: 23 Oct 2006
Posts: 1441
Location: Ukraine

PostPosted: Mon 16 Oct 2017, 14:50    Post subject:  

Dear souleau,

Thanks for the info. If anybody has info about patches/firmware updates for WIFI routers (D-Link, Netgear, etc.), please also post, since these are the most vulnerable devices, as I understand it.

With kind regards,
vovchik
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1305

PostPosted: Mon 16 Oct 2017, 15:11    Post subject:  

vovchik wrote:
Dear souleau,

Thanks for the info. If anybody has info about patches/firmware updates for WIFI routers (D-Link, Netgear, etc.), please also post, since these are the most vulnerable devices, as I understand it.

With kind regards,
vovchik



Hi vovchik,

Here's a list of the vendors affected, when they were notified, and if & when they've released upgrade/patches for these 11 CVEs. Hope this helps....

http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1265
Location: N.E. USA

PostPosted: Mon 16 Oct 2017, 15:37    Post subject:  

Uncle Slacky not yet patched. Original slacko5.7 is v.1.0 with update to 2.4.

Looking at the w1-fi site we are all looking at an OS-side release of wpa_supplicant v.2.7 with full implementation (includes some future-proofing).

Regards
8Geee

PS: belham2... it appears some vendors and builders WERE told about this vunerability at the end of August. That includes Debian and Slackware. The makers of the chiip in the netbooks 2008-10 was also made aware. The maker of my home router/modem was NOT told until today. In fact a lot of the CATV supplied hm/r's were only told today.

_________________
Linux user #498913
Back to top
View user's profile Send private message 
vovchik


Joined: 23 Oct 2006
Posts: 1441
Location: Ukraine

PostPosted: Mon 16 Oct 2017, 15:54    Post subject:  

Dear belham2,

Thanks for that list. It's precisely what I was looking for. Smile

With kind regards,
vovchik
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1305

PostPosted: Mon 16 Oct 2017, 17:18    Post subject:  

Here's a better explanation on this problem and what is really involved. It seems, from the look of things, HTTPS already provides protection in that most sensitive communications that might be intercepted, such as interactions with your financial institution or browsing email, are likely already protected end-to-end with Secure Sockets Layer (SSL) encryption that is separate from any encryption added by WPA2.

https://krebsonsecurity.com/2017/10/what-you-should-know-about-the-krack-wifi-security-weakness/


This doesn't mean devices and/or OSes don't have to be patched. They do, especially (as Volchik noted) wireless routers and/or wireless APs.

Still, it's nice to know SSL (HTTPS) is a different encryption layer than WPA2, thus affording some wireless protection.

Begs the question we've had on here before, and which we are not getting an answer from Flash (in contacting John Murga, like asked): why isn't this forum setup to "https", especially given the amount of attachments and scripts that are downloaded from it? Flash, is John Murga still alive? It's been a few weeks since we asked this in another thread. Nearly every Linux forum I am member of went to https quite awhile ago. The murga site is one of the lone holdouts. This is NOT a financial issue, as I discussed in the other thread. This is a question of whether the will is there to do it, or whether it is just not cared about.
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1688

PostPosted: Mon 16 Oct 2017, 18:04    Post subject:  

For those with older routers that may be affected, but will probably not get new firmware from the vendor, you may want to install firmware for an open-source router like DD-WRT or Tomato.

So far, I have not seen patches for these, but with source code available for Debian patches these might be fixed before anyone at, say, Cisco gets around to it. Patching the router will protect those devices connecting to it via WiFi, even if they remain vulnerable elsewhere.

Correction: here's a patch for DD-WRT. Obviously, this needs testing.

Patching your home wireless router will protect you in one environment where you spend a lot of time even if the device you are using, like an Android tablet, is vulnerable. Only allow connection with devices you know are patched. With safe WiFi at home and office you may be able to get by until everything else catches up.

It seems Apple is ahead of this game with recent iOS and MacOS.

MicroSoft also released an update on October 10 to fix this.
Back to top
View user's profile Send private message 
jd7654

Joined: 06 Apr 2015
Posts: 256

PostPosted: Tue 17 Oct 2017, 00:06    Post subject:  

prehistoric wrote:
...Patching the router will protect those devices connecting to it via WiFi, even if they remain vulnerable elsewhere.


Patching the router won't fix the problem. This is currently a client side exploit mainly, so all the clients/OSs need to be patched as a priority. The router/AP needs to be updated too, if it is used as a client/bridge, or if a later exploit is discovered on lesser vulnerability. Many routers, webcams and IoT may never get updates though.

Here's a link with a list of updates:
https://github.com/kristate/krackinfo

I already updated my various Linux distros with available patches: Arch, Fedora, Debian. Also downloaded Windows 7 update rollup.(Win10 is automatic) No fix for my Android Phone so doing recommended of switching back to LTE instead of WiFi for now. Amazon Kindle no fix yet.

Mint and Ubuntu LTS updated, and corresponding Puppy Tahr/Xenial can be updated with the same Ubuntu patches:
https://usn.ubuntu.com/usn/usn-3455-1/

Still waiting on Slackware, or have to roll your own.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 3 [41 Posts]   Goto page: 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0580s ][ Queries: 15 (0.0045s) ][ GZIP on ]