Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Oct 2017 10:56:50 -0700
From:      Adrian Chadd <adrian.chadd@gmail.com>
To:        Kevin Oberman <rkoberman@gmail.com>
Cc:        Cy Schubert <Cy.Schubert@komquats.com>, Lev Serebryakov <lev@freebsd.org>,  blubee blubeeme <gurenchan@gmail.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>,  FreeBSD current <freebsd-current@freebsd.org>
Subject:   Re: cve-2017-13077 - WPA2 security vulni
Message-ID:  <CAJ-VmonoCf3GHn6Z%2BfRv5qcwK5VL63Hx%2Bc3gwn_=QRwAE8mvoQ@mail.gmail.com>
In-Reply-To: <CAN6yY1tMsq3MAvaHb_MBUEzS_9yt8pQiDeLu8gYSdF19G=aCFg@mail.gmail.com>
References:  <lev@FreeBSD.org> <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org> <201710161304.v9GD4Fbh011760@slippy.cwsent.com> <CAJ-VmonsZjn-9z9UC=DyEEUGEbTZ_nULVP_HWais_-fPgZLxNg@mail.gmail.com> <CAN6yY1tMsq3MAvaHb_MBUEzS_9yt8pQiDeLu8gYSdF19G=aCFg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Right, there are backported patches against 2.6, but we're running 2.5
in contrib/ .

This is all "I'm out of time right now", so if someone wants to do the
ports work and/or the contrib work with the patches for this vuln then
please do. I should be able to get to it in the next few days but I'm
busy with family and employment.



-adrian


On 16 October 2017 at 10:19, Kevin Oberman <rkoberman@gmail.com> wrote:
> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd <adrian.chadd@gmail.com>
> wrote:
>>
>> hi,
>>
>> I got the patches a couple days ago. I've been busy with personal life
>> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If
>> someone beats me to it, great, otherwise I'll try to do it in the next
>> couple days.
>>
>> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update
>> everything to but so far nope. It should be easy enough to update the
>> port for now as it's at 2.6.
>>
>>
>>
>> -adrian
>>
>>
>> On 16 October 2017 at 06:04, Cy Schubert <Cy.Schubert@komquats.com> wrote:
>> > In message <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org>, Lev
>> > Serebryakov
>> > writes:
>> >> On 16.10.2017 13:38, blubee blubeeme wrote:
>> >>
>> >> > well, that's a cluster if I ever seen one.
>> >>  It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
>> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
>> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.
>> >
>> > The gory details are here:
>> > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
>> >
>> > The announcement is here:
>> > https://www.krackattacks.com/
>> >
>> >
>> > --
>> > Cheers,
>> > Cy Schubert <Cy.Schubert@cschubert.com>
>> > FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org
>> >
>> >         The need of the many outweighs the greed of the few.
>> >
>
>
> While I do not encourage waiting, it is quite likely that the upstream patch
> wil show up very soon now that the vulnerability is public.
>
> It's also worth noting that fixing either end of the connection is all that
> is required, as I understand it. So getting an update for your AP is not
> required. That is very fortunate as the industry has a rather poor record of
> getting out firmware updates for hardware more than a few months old. Also,
> it appears that Windows and iOS are not vulnerable due to flaws in their
> implementation of the WPA2 spec. (Of course, if you update your AP(s), you
> no longer need to worry about your end devices.
> --
> Kevin Oberman, Part time kid herder and retired Network Engineer
> E-mail: rkoberman@gmail.com
> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ-VmonoCf3GHn6Z%2BfRv5qcwK5VL63Hx%2Bc3gwn_=QRwAE8mvoQ>