WPA2 wifi open to key reinstallation attacks

For discussions about security.
Message
Author
ozsouth
Posts: 858
Joined: Fri 01 Jan 2010, 22:08
Location: S.E Australia

#16 Post by ozsouth »

For Slackware64, I have wpa_supplicant v2.0. It has its own vulns, but would it be better until v2.7 arrives?

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#17 Post by belham2 »

jd7654 wrote:
prehistoric wrote:...Patching the router will protect those devices connecting to it via WiFi, even if they remain vulnerable elsewhere.
Patching the router won't fix the problem. This is currently a client side exploit mainly, so all the clients/OSs need to be patched as a priority. The router/AP needs to be updated too, if it is used as a client/bridge, or if a later exploit is discovered on lesser vulnerability. Many routers, webcams and IoT may never get updates though.

Here's a link with a list of updates:
https://github.com/kristate/krackinfo

I already updated my various Linux distros with available patches: Arch, Fedora, Debian. Also downloaded Windows 7 update rollup.(Win10 is automatic) No fix for my Android Phone so doing recommended of switching back to LTE instead of WiFi for now. Amazon Kindle no fix yet.

Mint and Ubuntu LTS updated, and corresponding Puppy Tahr/Xenial can be updated with the same Ubuntu patches:
https://usn.ubuntu.com/usn/usn-3455-1/

Still waiting on Slackware, or have to roll your own.
Hi jd7654,

You lost me a bit (the bold, underlined above).

A neighbor friend has a combo DSL-ethernet modem/router from his DSL provider where the wifi is turned off. From behind it, sits another ethernet-connected router that is nothing more than a dumb ethernet/wifi (WPA2) Access Point. Are you saying it doesn't matter to patch this Access Point, because first you say "patching won't fix the router..." then in the next sentence "..the router/AP needs to be updated too...." His ISP pushed out updates to that main router already.

I don't know what to tell him.....like his ISP, my router mftr already pushed stuff out yesterday when I checked, so I updated the firmware to take care of just the router concerning this.

But with him, should I tell him to worry about all the ehternet/wifi OSes & gadgets he has (connected to the AP) in the house first and worry about the AP itself later? Or focus on getting his AP behind the already updated main router updated first, then all the computers/gadgets afterwards???

Thanks for any advice/tips....

jd7654
Posts: 296
Joined: Mon 06 Apr 2015, 16:10

#18 Post by jd7654 »

belham2 wrote:...You lost me a bit (the bold, underlined above).
...
But with him, should I tell him to worry about all the ehternet/wifi OSes & gadgets he has (connected to the AP) in the house first and worry about the AP itself later?
Yeah, worry about the wireless clients first.

It's still early, since the exploit just got published yesterday, lots of confusion.(although vendors knew months ago...) Gotta dig through the reports, but it's there. There are multiple vulnerabilities exposed with this new attack vector, but most of the exposure is to the client.

My AP vendor TP-Link still hasn't pushed out any fixes yet, but only said this:
"The publisher also points out that, the main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates."

Lots of AP vendor information is vague or misleading, leaving people to think that the fix to the AP fixes the vulnerability. I found one vendor Meraki That explained that little fact better:
"If I upgrade to MR24-11/MR25-7, will I be protected from all 10 security vulnerabilities?
No, the fix protects devices from the 802.11r vulnerability. For all other vulnerabilities, as mentioned in the table above, the client is under attack and hence cannot be protected by the AP. "


So basically, patching your router/AP may fix only 1 out of 10 vulnerabilities. The client has all the other 9 more severe vulnerabilities.

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

Slacko5.7

#19 Post by 8Geee »

Slacko5.7 is between a rock and a hard place.
The default is wpa_supplicant v. 1.0
Upgrade is to v. 2.4... pick your poison.

I did a cursory search of the Slackware Security advisories rom late 2014 to find the v. 2.3.
Unfortuneately Uncle Slacky says only the most recent upgrade is allowed. So much for the end-around. :roll:

Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

User avatar
fabrice_035
Posts: 765
Joined: Mon 28 Apr 2014, 17:54
Location: Bretagne / France

#20 Post by fabrice_035 »

I have upgrade wpa_supplicant from tahrpup to version 2.4 (look here in french http://www.murga-linux.com/puppy/viewtopic.php?t=111840)

The strange situation is if you try to get last version of wpa_supplicant you can't see if it patched with -v option because the version is same after patch

Explain it to me :shock:

User avatar
souleau
Posts: 148
Joined: Sun 23 Oct 2016, 15:24

#21 Post by souleau »

fabrice_035 wrote:I have upgrade wpa_supplicant from tahrpup to version 2.4
From what I can tell from this quote on the krackattacks website, you were probably better off not upgrading wpa_supplicant.
Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux.

jd7654
Posts: 296
Joined: Mon 06 Apr 2015, 16:10

#22 Post by jd7654 »

RE: WPA Supplicant versions.

It's not so much the version number that matters, but whether or not it is patched for the Krack vulnerability. Yeah, it would be nice if they changed the version number so you could immediately recognize, but they probably just did a quick fix, applied the patches and recompiled.

Various versions of wpa_supplicant have been patched and released:(I updated all these)
Ubuntu 14.04 - 2.1-0ubuntu1.5
Ubuntu 16.04 - 2.4-0ubuntu6.2
Debian 8 - 2.3-1deb8u5
Debian 9 - 2.4-1deb9u1
Arch and Fedora - 2.6-11

Does it work? I have no idea, I guess you just have to trust that they fixed it properly. All I can see is the file size increased. They are supposed to be releasing a tool later to allow you to check for the vulnerability on patched systems.

Many platforms have still not been patched like Apple, Google (Android, Chrome) and Amazon, it's still early. Unless you have a hacker living next door that is planning to attack you with Krack right now, you can probably wait a while till all the fixes get hashed out. I did try and compile with patches in Slacko 5.7 and 6.3.2 with wpa_supplicant 2.4, seemed to work OK, but I have no idea if it is patched properly. Hopefully Slackware releases their fixed versions eventually.

User avatar
souleau
Posts: 148
Joined: Sun 23 Oct 2016, 15:24

#23 Post by souleau »

I am rather curious about to which extend versions of wpa_supplicant before 2.4 (read: older puppies) are exposed to this.

I run Precise myself and so my wpa_supplicant version is 0.7.3.

Now, I do not use wifi at all at home, but we do have visitors from time to time who bring their electronics. I'm probably right in assuming there won't be any patches for older versions of wpa_supplicant, so any more insight in the risks involved would be nice.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#24 Post by Flash »

Here's a good article from TechRepublic describing the attack and how it works, in some detail.
Of note, this attack does not allow attackers to recover the network password...

...Because of the nature of the attack, the client device is the target and is, therefore, the highest priority for patching.

jd7654
Posts: 296
Joined: Mon 06 Apr 2015, 16:10

#25 Post by jd7654 »

souleau wrote:...I run Precise myself and so my wpa_supplicant version is 0.7.3.
I have Precise installed in some places. Tried to run the Trusty patch release wpasupplicant_2.1-0ubuntu1.5_i386 and it seems work on Precise, no library conflicts, etc. Seems to run fine with wireless connection.

So you could try that. Either drop in the minimum binaries, or install the full package, but I'd be more cautious about doing that.

Or you could try compiling as high a wpa_supplicant version as your distro/libraries allows and then patching that. Or just upgrade to Puppy Tahr or Xenial which still has official Ubuntu support.

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#26 Post by 8Geee »

soleau:

My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.

Folks at 'buntu varieties have a habit of using the base version with an additional extension such as 2.1-4 orr 2.0-5 etc. As a calendar basis for this, any update in 2015 or 2016 is highly suspect of being at least wpa_supplicant 2.4 or newer. Slackware shows May 2015 as its update to v. 2.4, and December 2014 as v. 2.3.

As I'm writing and doing double-check, Slackware has released its patch for wpa_supplicant dated today (10/18/17). Note that Slackware is posting updates for 14.0, 14.1, 14.2 and current... all show v2.6-1.

Regards
8Geee
Last edited by 8Geee on Thu 19 Oct 2017, 02:57, edited 1 time in total.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

Gordie
Posts: 153
Joined: Tue 23 Aug 2016, 15:26
Location: Nolalu, Ontario, Canada

Slackware has a fix

#27 Post by Gordie »

Here is the Changelog for Slackware

ftp://ftp.osuosl.org/pub/slackware/slac ... ngeLog.txt

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#28 Post by belham2 »

8Geee wrote:soleau:

My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.

Folks at 'buntu varieties have a habit of using the base version with an additional extension such as 2.1-4 orr 2.0-5 etc. As a calendar basis for this, any update in 2015 or 2016 is highly suspect of being at least wpa_supplicant 2.4 or newer. Slackware shows May 2015 as its update to v. 2.4, and December 2014 as v. 2.3.

As I'm writing and doing double-check, Slackware has released its patch for wpa_supplicant dated today (10/18/17). Note that Slackware is posting updates for 14.0, 14.1, 14.2 and current... all show v2.6-1.

Regards
8Geee

8GEEE,

How we get the slackware wpa-supplicant-v2.6.1-update into our slackware-based pups that are not Peebee's slack-versions (his are already patched with his deltas applied to ISO--http://www.murga-linux.com/puppy/viewto ... 393#971393)? For all other slackos (including yours), can I just delete the existing wpa_supplicant in all these 'frugal' setup slackpups I have, and then just use PPM in each slackopup to download & install the v2.6.1-update version?

User avatar
souleau
Posts: 148
Joined: Sun 23 Oct 2016, 15:24

#29 Post by souleau »

8Geee wrote:My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.
Thank you 8Geee for this explanation. That is very reassuring.

jd7654
Posts: 296
Joined: Mon 06 Apr 2015, 16:10

#30 Post by jd7654 »

8Geee wrote:My reading on this is that v. 2.4, 2.5, and 2.6 are vunerable. Its in the way the 4-way handshake is implemented to allow TLS 1.1 and 1.2 schemes. Version 2.3 and earlier do not have this faulty implementation, and therefore are not subject to the cracking.
Ubuntu and Debian have released Krack patches for v2.1 and 2.3 respectively.
https://usn.ubuntu.com/usn/usn-3455-1/
https://www.debian.org/security/2017/dsa-3999
You are claiming these patches were unnecessary? Please provide link which shows 2.3 and earlier does not have the vulnerability, I have not seen that before.

User avatar
souleau
Posts: 148
Joined: Sun 23 Oct 2016, 15:24

#31 Post by souleau »

Okay, without having the slightest idea of what I am talking about, but having a decent comprehension in reading, I have established the following from the link listed below.

If you have a wpa_supplicant version before 2.4, you are still open to attacks. However, the type of data that may be decrypted and is subsequently open to attacks is limited to ARP, DHCP, or TCP SYN packets.
These are, however, sufficient to potentially exploit other weaknesses in your system and possibly hijack an application session.
But..if you have an unpatched wpa_supplicant version 2.4 or higher, then a forced replay scenario is handled in such a way that an encryption key consisting of all zeros is being installed, and that, on top of the types of data mentioned before, allows your general Wi-Fi data to be decrypted and manipulated also.

From this source:

http://www.revolutionwifi.net/revolutio ... nformation

So yeah, pretty bad all around.

Sailor Enceladus
Posts: 1543
Joined: Mon 22 Feb 2016, 19:43

#32 Post by Sailor Enceladus »

8Geee wrote:As I'm writing and doing double-check, Slackware has released its patch for wpa_supplicant dated today (10/18/17). Note that Slackware is posting updates for 14.0, 14.1, 14.2 and current... all show v2.6-1.
Strange, when I use Updates Manager in Slacko 14.0 it says v2.6-1, but if I use Woof-CE to download packages.txt from the repositories it still grabs v2.4. Where is it even finding v2.4 in the list... when the repositories all show v1.0 and v2.6. I wonder.

edit: Nevermind, it's working now.

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#33 Post by 8Geee »

Soleau:

Thats the way I read it too. Older stuff has "other" problems... from 2.4 and up, "this" one occurs. This one is very bad in that all data can be "replayed". As someone else posted, the client-side (end-user) has 9 of 10 vunerabilities.

Regards
8Geee

Puppy Package Manager needs to be updated, and is your friend here.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

User avatar
Subito Piano
Posts: 731
Joined: Mon 28 May 2007, 03:12
Location: UPSTATE New York
Contact:

#34 Post by Subito Piano »

So...three questions:

1- is wpa-supplicant version 2.1 (in my TahrPup) vulnerable? I didn't catch that from the previous posts.
2 - i use a whitelist in my wi-fi router to block all devices not listed. Does this offer protection against KRACK vulnerability? I can't seem to find an answer to this on the web....(EDIT: i found that, according to this post, it will not help)
3 - can attacker hack via email programs such as Thunderbird and Sylpheed?

Thanks!
[color=green]"God is love" - [url=https://www.esv.org/1+John+4/]I John 4:12[/url][/color]
ðŸ￾§ ðŸ￾§ ðŸ￾§ Rockin' on a 2007 IBM/Lenovo T60 Centrino Duo with 32-bit XenialPup 7.5! :D
(A/V Linux for live digital synth needs)

User avatar
6502coder
Posts: 677
Joined: Mon 23 Mar 2009, 18:07
Location: Western United States

#35 Post by 6502coder »

Subito Piano wrote: 1- is wpa-supplicant version 2.1 (in my TahrPup) vulnerable? I didn't catch that from the previous posts.
Yes, TahrPup is vulnerable. Apply the Ubuntu patches for Tahr -- see the link posted above by jd7654

Post Reply