From owner-freebsd-security@freebsd.org Tue Oct 17 02:14:28 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D24D0E4EC7A for ; Tue, 17 Oct 2017 02:14:28 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id AFC0E7C52C for ; Tue, 17 Oct 2017 02:14:27 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id D69D43ACDA for ; Mon, 16 Oct 2017 19:14:26 -0700 (PDT) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: Re: WPA2 bugz - One Man's Quick & Dirty Response In-Reply-To: <20171016230525.GA94181@funkthat.com> Date: Mon, 16 Oct 2017 19:14:26 -0700 Message-ID: <27180.1508206466@segfault.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Oct 2017 02:14:28 -0000 In message <20171016230525.GA94181@funkthat.com>, John-Mark Gurney wrote: >> In light of the recent WPA2 disclosures, it has occured to me that >> as of today it may be a Bad Idea for me to be exporting all of this >> stuff, read/write, to all of 192.168.1.0/24. > >Doesn't matter, if your network is compromized, only strong encryption >and authentication will save you.. Hummm... I *think* that maybe I'm starting to understand now. But maybe not. I'm at a bit of a disadvantage, because like 99.999% of the population I'm still not entirely 100% clear on what can and can't be done with these new WPA2 exploits. But the thought did just occur to me... based on your comment... that these WPA2 problems might possibly be leveragable to the point where an attacker could be talking to my router via WiFi -and- could be doing so while using an IP address within the range (192.168.1.16/28) that I had hoped to export some NFS volumes to with read/write access. Is this, in effect, what you were suggesting? Or have I misunderstood yet again? Assuming that I am basically on the Right Track, now, what should I do? What can be done? I am not just asking for me, but also on behalf of the few zillion other poor sods who, like me, know just enough about networking to be dangerous, and who, like me, have been caught rather flat footed by these WPA2 issues. I suspect that I am somewhat typical of a lot of folks. I have a file server system (mine happens to run FreeBSD) in one room (the office) and some clients that need at most read-only access to files on the file server in another room (i.e. the living room) where the connectivity is down with WiFi. I could use Samba/SMB for this, but in my experience NFS provides drastically better performance, so I've used that instead of SMB. In the living room there's an x86-based HTPC running a crusty old version of OpenELEC (and it is this box, specifically, that needs the read-only access to the stuff on my file server) and also there's an Amazon Fire TV box, which has "secure" (giggle) access to some paid content elsewhere on the Internet. Meanwhile, in the office, in addition to the FreeBSD machine which is my main workstation -and- file server, I also have a second machine running Linux/Ubuntu and a third machine running Windoze7. These are both hardwired into my Linksys E4200... a fact which I had hoped to leverage to give me some extra protection from these new WPA2 issues, but now I'm thinking maybe that won't actually fly. (I want these two machines to have read/write access to almost everything on my main file server machine.) Based on your comments, John-Mark, and the earlier and equally worrying comments by Karl Denninger, I'm beginning to think that perhaps the only Right Way to solve all of the issues/problems/requirements that I'm facing is perhaps for me to set up a second local "more trusted" network, e.g. 192.168.2.0/24 and for me to add a simple switch and additional ethernet cards to each of my hardwired machines so that they can all talk to the new switch. Then I can export my NFS volumes, read/write, to 192.168.2.0/24, including even home directories and other exceptionally sensitive stuff, but then also just NFS-export just my content/media volumes read-only to the (now entirely and physically separate) 192.168.1.0/24 network. Is this a Good Plan or a Rotten Plan? As I've already stipulated, I know just enough about networking to be dangerous, so advice would be appreciated. Also, what about the Amazon Fire TV box in the living room? It seems that it contains some magical crypto secrets that allow me to access certain paid content, in preference to others who haven't paid for it. Are all of those secrets now going to be up for grabs to anyone, staring tomorrow, who is physically close enough to connect to my WiFi router and who has his his/her possession appropriate WPA2 exploit code? If so, then what should I do... what -can- I even do about *that*? (Obviously, that is all closed-source proprietary stuff under the hood in that box, which greatly limits my options, and those of untold millions of others.) >Also, w/ your config, you have to make sure your router does ingress >filtering, as many times you can spoof packets between subnets too... Two obvious questions: (1) "How?" and (2) "On which port(s), exactly? All of them?" I frankly don't know enough about -either- my Linksys E4200 -or- the ASUS RT-AC56U that's been sitting on my shelf for awhile now, waiting to replace the Linksys. And I specifically don't have any notion of how I either can or should tweek the filtering to comply with your suggestion, but I am more than wlling to be instructed. Lastly, with respect to SOHO routers generally... Shall I start up a betting pool? It will be interesting to see, in the weeks and months ahead, for each given SOHO WiFi router model, which comes out first, i.e. either (a) vendor-supplied firmware updates that deal with all of these WPA2 issues, or else (b) "WPA2-fix" versions of DD-WRT, OpenWRT, or Tomato for the same model(s). I'm betting that for a lot of these things, the open source firmwares with the WPA2 fixes are going to be out sooner that the equivalent vendor-supplied fixed firmwares. And of course, for a lot of older "orphaned" routers, fixed-up open source firmwares are likely to be the -only- choice, forever. Maybe that's a Good Thing.