Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 22 Nov 2017, 00:21
All times are UTC - 4
 Forum index » Off-Topic Area » Security
WPA2 wifi open to key reinstallation attacks
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 3 [41 Posts]   Goto page: Previous 1, 2, 3 Next
Author Message
ozsouth

Joined: 01 Jan 2010
Posts: 255
Location: S.E Australia

PostPosted: Tue 17 Oct 2017, 03:34    Post subject:  

For Slackware64, I have wpa_supplicant v2.0. It has its own vulns, but would it be better until v2.7 arrives?
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1304

PostPosted: Tue 17 Oct 2017, 05:55    Post subject:  

jd7654 wrote:
prehistoric wrote:
...Patching the router will protect those devices connecting to it via WiFi, even if they remain vulnerable elsewhere.


Patching the router won't fix the problem. This is currently a client side exploit mainly, so all the clients/OSs need to be patched as a priority. The router/AP needs to be updated too, if it is used as a client/bridge, or if a later exploit is discovered on lesser vulnerability. Many routers, webcams and IoT may never get updates though.

Here's a link with a list of updates:
https://github.com/kristate/krackinfo

I already updated my various Linux distros with available patches: Arch, Fedora, Debian. Also downloaded Windows 7 update rollup.(Win10 is automatic) No fix for my Android Phone so doing recommended of switching back to LTE instead of WiFi for now. Amazon Kindle no fix yet.

Mint and Ubuntu LTS updated, and corresponding Puppy Tahr/Xenial can be updated with the same Ubuntu patches:
https://usn.ubuntu.com/usn/usn-3455-1/

Still waiting on Slackware, or have to roll your own.


Hi jd7654,

You lost me a bit (the bold, underlined above).

A neighbor friend has a combo DSL-ethernet modem/router from his DSL provider where the wifi is turned off. From behind it, sits another ethernet-connected router that is nothing more than a dumb ethernet/wifi (WPA2) Access Point. Are you saying it doesn't matter to patch this Access Point, because first you say "patching won't fix the router..." then in the next sentence "..the router/AP needs to be updated too...." His ISP pushed out updates to that main router already.

I don't know what to tell him.....like his ISP, my router mftr already pushed stuff out yesterday when I checked, so I updated the firmware to take care of just the router concerning this.

But with him, should I tell him to worry about all the ehternet/wifi OSes & gadgets he has (connected to the AP) in the house first and worry about the AP itself later? Or focus on getting his AP behind the already updated main router updated first, then all the computers/gadgets afterwards???

Thanks for any advice/tips....
Back to top
View user's profile Send private message 
jd7654

Joined: 06 Apr 2015
Posts: 256

PostPosted: Tue 17 Oct 2017, 12:01    Post subject:  

belham2 wrote:
...You lost me a bit (the bold, underlined above).
...
But with him, should I tell him to worry about all the ehternet/wifi OSes & gadgets he has (connected to the AP) in the house first and worry about the AP itself later?


Yeah, worry about the wireless clients first.

It's still early, since the exploit just got published yesterday, lots of confusion.(although vendors knew months ago...) Gotta dig through the reports, but it's there. There are multiple vulnerabilities exposed with this new attack vector, but most of the exposure is to the client.

My AP vendor TP-Link still hasn't pushed out any fixes yet, but only said this:
"The publisher also points out that, the main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates."

Lots of AP vendor information is vague or misleading, leaving people to think that the fix to the AP fixes the vulnerability. I found one vendor Meraki That explained that little fact better:
"If I upgrade to MR24-11/MR25-7, will I be protected from all 10 security vulnerabilities?
No, the fix protects devices from the 802.11r vulnerability. For all other vulnerabilities, as mentioned in the table above, the client is under attack and hence cannot be protected by the AP. "


So basically, patching your router/AP may fix only 1 out of 10 vulnerabilities. The client has all the other 9 more severe vulnerabilities.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1264
Location: N.E. USA

PostPosted: Tue 17 Oct 2017, 20:15    Post subject: Slacko5.7  

Slacko5.7 is between a rock and a hard place.
The default is wpa_supplicant v. 1.0
Upgrade is to v. 2.4... pick your poison.

I did a cursory search of the Slackware Security advisories rom late 2014 to find the v. 2.3.
Unfortuneately Uncle Slacky says only the most recent upgrade is allowed. So much for the end-around. Rolling Eyes

Regards
8Geee

_________________
Linux user #498913
Back to top
View user's profile Send private message 
fabrice_035

Joined: 28 Apr 2014
Posts: 433

PostPosted: Wed 18 Oct 2017, 01:25    Post subject:  

I have upgrade wpa_supplicant from tahrpup to version 2.4 (look here in french http://www.murga-linux.com/puppy/viewtopic.php?t=111840)

The strange situation is if you try to get last version of wpa_supplicant you can't see if it patched with -v option because the version is same after patch

Explain it to me Shocked
Back to top
View user's profile Send private message 
souleau


Joined: 23 Oct 2016
Posts: 112

PostPosted: Wed 18 Oct 2017, 04:50    Post subject:  

fabrice_035 wrote:
I have upgrade wpa_supplicant from tahrpup to version 2.4


From what I can tell from this quote on the krackattacks website, you were probably better off not upgrading wpa_supplicant.

Quote:
Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux.
Back to top
View user's profile Send private message 
jd7654

Joined: 06 Apr 2015
Posts: 256

PostPosted: Wed 18 Oct 2017, 04:59    Post subject:  

RE: WPA Supplicant versions.

It's not so much the version number that matters, but whether or not it is patched for the Krack vulnerability. Yeah, it would be nice if they changed the version number so you could immediately recognize, but they probably just did a quick fix, applied the patches and recompiled.

Various versions of wpa_supplicant have been patched and released:(I updated all these)
Ubuntu 14.04 - 2.1-0ubuntu1.5
Ubuntu 16.04 - 2.4-0ubuntu6.2
Debian 8 - 2.3-1deb8u5
Debian 9 - 2.4-1deb9u1
Arch and Fedora - 2.6-11

Does it work? I have no idea, I guess you just have to trust that they fixed it properly. All I can see is the file size increased. They are supposed to be releasing a tool later to allow you to check for the vulnerability on patched systems.

Many platforms have still not been patched like Apple, Google (Android, Chrome) and Amazon, it's still early. Unless you have a hacker living next door that is planning to attack you with Krack right now, you can probably wait a while till all the fixes get hashed out. I did try and compile with patches in Slacko 5.7 and 6.3.2 with wpa_supplicant 2.4, seemed to work OK, but I have no idea if it is patched properly. Hopefully Slackware releases their fixed versions eventually.
Back to top
View user's profile Send private message 
souleau


Joined: 23 Oct 2016
Posts: 112

PostPosted: Wed 18 Oct 2017, 09:53    Post subject:  

I am rather curious about to which extend versions of wpa_supplicant before 2.4 (read: older puppies) are exposed to this.

I run Precise myself and so my wpa_supplicant version is 0.7.3.

Now, I do not use wifi at all at home, but we do have visitors from time to time who bring their electronics. I'm probably right in assuming there won't be any patches for older versions of wpa_supplicant, so any more insight in the risks involved would be nice.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 12699
Location: Arizona USA

PostPosted: Wed 18 Oct 2017, 10:28    Post subject:  

Here's a good article from TechRepublic describing the attack and how it works, in some detail.
Quote:
Of note, this attack does not allow attackers to recover the network password...

...Because of the nature of the attack, the client device is the target and is, therefore, the highest priority for patching.
Back to top
View user's profile Send private message 
jd7654

Joined: 06 Apr 2015
Posts: 256

PostPosted: Wed 18 Oct 2017, 15:17    Post subject:  

souleau wrote:
...I run Precise myself and so my wpa_supplicant version is 0.7.3.


I have Precise installed in some places. Tried to run the Trusty patch release wpasupplicant_2.1-0ubuntu1.5_i386 and it seems work on Precise, no library conflicts, etc. Seems to run fine with wireless connection.

So you could try that. Either drop in the minimum binaries, or install the full package, but I'd be more cautious about doing that.

Or you could try compiling as high a wpa_supplicant version as your distro/libraries allows and then patching that. Or just upgrade to Puppy Tahr or Xenial which still has official Ubuntu support.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1264
Location: N.E. USA

PostPosted: Wed 18 Oct 2017, 22:13    Post subject:  

soleau:

My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.

Folks at 'buntu varieties have a habit of using the base version with an additional extension such as 2.1-4 orr 2.0-5 etc. As a calendar basis for this, any update in 2015 or 2016 is highly suspect of being at least wpa_supplicant 2.4 or newer. Slackware shows May 2015 as its update to v. 2.4, and December 2014 as v. 2.3.

As I'm writing and doing double-check, Slackware has released its patch for wpa_supplicant dated today (10/18/17). Note that Slackware is posting updates for 14.0, 14.1, 14.2 and current... all show v2.6-1.

Regards
8Geee

_________________
Linux user #498913

Last edited by 8Geee on Wed 18 Oct 2017, 22:57; edited 1 time in total
Back to top
View user's profile Send private message 
Gordie

Joined: 23 Aug 2016
Posts: 84

PostPosted: Wed 18 Oct 2017, 22:46    Post subject: Slackware has a fix  

Here is the Changelog for Slackware

ftp://ftp.osuosl.org/pub/slackware/slackware64-14.2/ChangeLog.txt
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1304

PostPosted: Thu 19 Oct 2017, 04:22    Post subject:  

8Geee wrote:
soleau:

My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.

Folks at 'buntu varieties have a habit of using the base version with an additional extension such as 2.1-4 orr 2.0-5 etc. As a calendar basis for this, any update in 2015 or 2016 is highly suspect of being at least wpa_supplicant 2.4 or newer. Slackware shows May 2015 as its update to v. 2.4, and December 2014 as v. 2.3.

As I'm writing and doing double-check, Slackware has released its patch for wpa_supplicant dated today (10/18/17). Note that Slackware is posting updates for 14.0, 14.1, 14.2 and current... all show v2.6-1.

Regards
8Geee



8GEEE,

How we get the slackware wpa-supplicant-v2.6.1-update into our slackware-based pups that are not Peebee's slack-versions (his are already patched with his deltas applied to ISO--http://www.murga-linux.com/puppy/viewtopic.php?p=971393#971393)? For all other slackos (including yours), can I just delete the existing wpa_supplicant in all these 'frugal' setup slackpups I have, and then just use PPM in each slackopup to download & install the v2.6.1-update version?
Back to top
View user's profile Send private message 
souleau


Joined: 23 Oct 2016
Posts: 112

PostPosted: Thu 19 Oct 2017, 05:53    Post subject:  

8Geee wrote:
My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.


Thank you 8Geee for this explanation. That is very reassuring.
Back to top
View user's profile Send private message 
jd7654

Joined: 06 Apr 2015
Posts: 256

PostPosted: Thu 19 Oct 2017, 11:24    Post subject:  

8Geee wrote:
My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.


Ubuntu and Debian have released Krack patches for v2.1 and 2.3 respectively.
https://usn.ubuntu.com/usn/usn-3455-1/
https://www.debian.org/security/2017/dsa-3999
You are claiming these patches were unnecessary? Please provide link which shows 2.3 and earlier does not have the vulnerability, I have not seen that before.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 3 [41 Posts]   Goto page: Previous 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0602s ][ Queries: 12 (0.0049s) ][ GZIP on ]