WPA2 wifi open to key reinstallation attacks

[souleau]

I have upgrade wpa_supplicant from tahrpup to version 2.4

From what I can tell from this quote on the krackattacks website, you were probably better off not upgrading wpa_supplicant.

Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux.

[jd7654]

RE: WPA Supplicant versions.

It's not so much the version number that matters, but whether or not it is patched for the Krack vulnerability. Yeah, it would be nice if they changed the version number so you could immediately recognize, but they probably just did a quick fix, applied the patches and recompiled.

Various versions of wpa_supplicant have been patched and released:(I updated all these)
Ubuntu 14.04 - 2.1-0ubuntu1.5
Ubuntu 16.04 - 2.4-0ubuntu6.2
Debian 8 - 2.3-1deb8u5
Debian 9 - 2.4-1deb9u1
Arch and Fedora - 2.6-11

Does it work? I have no idea, I guess you just have to trust that they fixed it properly. All I can see is the file size increased. They are supposed to be releasing a tool later to allow you to check for the vulnerability on patched systems.

Many platforms have still not been patched like Apple, Google (Android, Chrome) and Amazon, it's still early. Unless you have a hacker living next door that is planning to attack you with Krack right now, you can probably wait a while till all the fixes get hashed out. I did try and compile with patches in Slacko 5.7 and 6.3.2 with wpa_supplicant 2.4, seemed to work OK, but I have no idea if it is patched properly. Hopefully Slackware releases their fixed versions eventually.

[souleau]

I am rather curious about to which extend versions of wpa_supplicant before 2.4 (read: older puppies) are exposed to this.

I run Precise myself and so my wpa_supplicant version is 0.7.3.

Now, I do not use wifi at all at home, but we do have visitors from time to time who bring their electronics. I'm probably right in assuming there won't be any patches for older versions of wpa_supplicant, so any more insight in the risks involved would be nice.

[Flash]

Here's a good article from TechRepublic describing the attack and how it works, in some detail.

Of note, this attack does not allow attackers to recover the network password...

...Because of the nature of the attack, the client device is the target and is, therefore, the highest priority for patching.

[jd7654]

...I run Precise myself and so my wpa_supplicant version is 0.7.3.

I have Precise installed in some places. Tried to run the Trusty patch release wpasupplicant_2.1-0ubuntu1.5_i386 and it seems work on Precise, no library conflicts, etc. Seems to run fine with wireless connection.

So you could try that. Either drop in the minimum binaries, or install the full package, but I'd be more cautious about doing that.

Or you could try compiling as high a wpa_supplicant version as your distro/libraries allows and then patching that. Or just upgrade to Puppy Tahr or Xenial which still has official Ubuntu support.

[8Geee]

soleau:

My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.

Folks at 'buntu varieties have a habit of using the base version with an additional extension such as 2.1-4 orr 2.0-5 etc. As a calendar basis for this, any update in 2015 or 2016 is highly suspect of being at least wpa_supplicant 2.4 or newer. Slackware shows May 2015 as its update to v. 2.4, and December 2014 as v. 2.3.

As I'm writing and doing double-check, Slackware has released its patch for wpa_supplicant dated today (10/18/17). Note that Slackware is posting updates for 14.0, 14.1, 14.2 and current... all show v2.6-1.

Regards
8Geee

[Gordie]

Here is the Changelog for Slackware

ftp://ftp.osuosl.org/pub/slackware/slac ... ngeLog.txt

[belham2]

soleau:

My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.

Folks at 'buntu varieties have a habit of using the base version with an additional extension such as 2.1-4 orr 2.0-5 etc. As a calendar basis for this, any update in 2015 or 2016 is highly suspect of being at least wpa_supplicant 2.4 or newer. Slackware shows May 2015 as its update to v. 2.4, and December 2014 as v. 2.3.

As I'm writing and doing double-check, Slackware has released its patch for wpa_supplicant dated today (10/18/17). Note that Slackware is posting updates for 14.0, 14.1, 14.2 and current... all show v2.6-1.

Regards
8Geee

8GEEE,

How we get the slackware wpa-supplicant-v2.6.1-update into our slackware-based pups that are not Peebee's slack-versions (his are already patched with his deltas applied to ISO--http://www.murga-linux.com/puppy/viewto ... 393#971393)? For all other slackos (including yours), can I just delete the existing wpa_supplicant in all these 'frugal' setup slackpups I have, and then just use PPM in each slackopup to download & install the v2.6.1-update version?

[souleau]

My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.

Thank you 8Geee for this explanation. That is very reassuring.

[jd7654]

My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.

Ubuntu and Debian have released Krack patches for v2.1 and 2.3 respectively.
https://usn.ubuntu.com/usn/usn-3455-1/
https://www.debian.org/security/2017/dsa-3999
You are claiming these patches were unnecessary? Please provide link which shows 2.3 and earlier does not have the vulnerability, I have not seen that before.

[souleau]

Okay, without having the slightest idea of what I am talking about, but having a decent comprehension in reading, I have established the following from the link listed below.

If you have a wpa_supplicant version before 2.4, you are still open to attacks. However, the type of data that may be decrypted and is subsequently open to attacks is limited to ARP, DHCP, or TCP SYN packets.
These are, however, sufficient to potentially exploit other weaknesses in your system and possibly hijack an application session.
But..if you have an unpatched wpa_supplicant version 2.4 or higher, then a forced replay scenario is handled in such a way that an encryption key consisting of all zeros is being installed, and that, on top of the types of data mentioned before, allows your general Wi-Fi data to be decrypted and manipulated also.

From this source:

http://www.revolutionwifi.net/revolutio ... nformation

So yeah, pretty bad all around.

[Sailor Enceladus]

As I'm writing and doing double-check, Slackware has released its patch for wpa_supplicant dated today (10/18/17). Note that Slackware is posting updates for 14.0, 14.1, 14.2 and current... all show v2.6-1.

Strange, when I use Updates Manager in Slacko 14.0 it says v2.6-1, but if I use Woof-CE to download packages.txt from the repositories it still grabs v2.4. Where is it even finding v2.4 in the list... when the repositories all show v1.0 and v2.6. I wonder.

edit: Nevermind, it's working now.

[8Geee]

Soleau:

Thats the way I read it too. Older stuff has "other" problems... from 2.4 and up, "this" one occurs. This one is very bad in that all data can be "replayed". As someone else posted, the client-side (end-user) has 9 of 10 vunerabilities.

Regards
8Geee

Puppy Package Manager needs to be updated, and is your friend here.

[Subito Piano]

So...three questions:

1- is wpa-supplicant version 2.1 (in my TahrPup) vulnerable? I didn't catch that from the previous posts.
2 - i use a whitelist in my wi-fi router to block all devices not listed. Does this offer protection against KRACK vulnerability? I can't seem to find an answer to this on the web....(EDIT: i found that, according to this post, it will not help)
3 - can attacker hack via email programs such as Thunderbird and Sylpheed?

Thanks!

[6502coder]

1- is wpa-supplicant version 2.1 (in my TahrPup) vulnerable? I didn't catch that from the previous posts.

Yes, TahrPup is vulnerable. Apply the Ubuntu patches for Tahr -- see the link posted above by jd7654

[Subito Piano]

Thanks, 6502..
...but forgive my ignorance. I followed the link and downloaded but don't know how to install it. I did find what i hope is the correct deb (wpasupplicant_2.1-0ubuntu1.5_i386.deb) here. However, issuing the command

Code: Select all

wpa_supplicant -v

yielded the same answer as before the install of this deb package

Code: Select all

wpa_supplicant v2.1

Which, i gather from the above posts, is to be expected.
So -- is this deb file that i installed the patch we TahrPup users need?

[jd7654]

I did find what i hope is the correct deb (wpasupplicant_2.1-0ubuntu1.5_i386.deb) here. However, issuing the command

Code: Select all

wpa_supplicant -v

yielded the same answer as before the install of this deb package

Code: Select all

wpa_supplicant v2.1

The Trusty patch doesn't seem to work well with PPM, since the version does not change, but it does install OK in Puppy Tahr.(in full Ubuntu you can verify exact package version installed with dpkg/apt)
You can check file date and sizes in the layers like below, note Oct 16 and larger size:(example from Tahr64)

Code: Select all

root# ls -l /initrd/pup_ro2/sbin/wp*
-rwxr-xr-x 1 root root    1735 Jan 28  2014 /initrd/pup_ro2/sbin/wpa_action
-rwxr-xr-x 1 root root   94160 Dec 16  2015 /initrd/pup_ro2/sbin/wpa_cli
-rwxr-xr-x 1 root root 1769888 Dec 16  2015 /initrd/pup_ro2/sbin/wpa_supplicant
root# ls -l /initrd/pup_rw/sbin/wp*
-rwxr-xr-x 1 root root    1735 Jan 28  2014 /initrd/pup_rw/sbin/wpa_action
-rwxr-xr-x 1 root root   94160 Oct 16 03:25 /initrd/pup_rw/sbin/wpa_cli
-rwxr-xr-x 1 root root 1773984 Oct 16 03:25 /initrd/pup_rw/sbin/wpa_supplicant
root# 

Slackware/Slacko did it better with a upgrade to new v2.6 with patch, so easy to see changes. Ubuntu just patched current version as a quick fix, which is ultra conservative.

[8Geee]

Just a reminder here

Whatever one does using wifi is vunerable: whatever is done using ethernet is not.

This is not a function of the app: it is a function of wifi itself, no matter what app is used.

Regards
8Geee

[Subito Piano]

jd7654: Thanks. Shows success in my laptop. I assume it will also show the update on my USB Puppy after a restart.

8Geee: Oh yes.....a good reminder to all. Which leads to a question -- if i have wifi up and running, cannot my wired system's information be compromised? Seems to me it would.

[belham2]

jd7654: Thanks. Shows success in my laptop. I assume it will also show the update on my USB Puppy after a restart.

8Geee: Oh yes.....a good reminder to all. Which leads to a question -- if i have wifi up and running, cannot my wired system's information be compromised? Seems to me it would.

Hi Subito,

Do yourself the biggest favor you could ever do: take a few hours and teach yourself how to setup a "subnet" in your home for your wireless devices. And prohibit that subnet from ever seeing your "lan" connected devices. Then, from that point forward, your home "wireless" gadgets will never interact & co-mingle with your "lan" connected gadgets. Use your wireless for all the carefree stuff you do online (like posting to this forum). And use your "lan" connected devices for all things you want done securely on the Net.

The WPA2 hack and issues you read does not affect the "lan" side of things, especially if a machine has no wireless and/or its wireless function is turned off. And if you're on a different subnet with your lan, then for all intents & purposes that lan could be halfway around the world and your wireless devices & its subnet would never know.