From owner-freebsd-current@freebsd.org Mon Oct 16 17:56:53 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF872E40A1C for ; Mon, 16 Oct 2017 17:56:53 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5CA366607D; Mon, 16 Oct 2017 17:56:53 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: by mail-wm0-x22b.google.com with SMTP id f4so5682233wme.0; Mon, 16 Oct 2017 10:56:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=w3eoD9VCROoJa7Eoao0tOAZRAVZ9T0r05cf2J8sZESs=; b=BVF9P97JJM9GqC6i6E85UuI+rXer/M6+gzcCMU75FkFuN3zbQEsZVStaud6ky9DWHa 63YP6dnZW31KPTIT8wRO9+ChTPzyXUwZudkmqyu9Kpn6vEzLBADozXxWFYXnEDg18wPA DonZXUmO8mQIgh9XYYGs19/lX/tmeKXsXt2SrJOdl9DdtX1hsHUoR2WPw2DLfCRMphlB +w2o9Kt57u3Qj4CH+MIJL/mUJ2W9h1PsYEGHU1Y2tC7X1SGoPsGGVYMgw5BBXscXoYfC XDXc99c8IFgv42CUdvE3wEaIkbp53kHOm3PMqkh8RdtUrvDVppITK8ScHbvFW43aEW44 m73g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=w3eoD9VCROoJa7Eoao0tOAZRAVZ9T0r05cf2J8sZESs=; b=ZPF4k4K/7S91AAQX+1g943n5xZqrpi/wPgibHLAWC8UjZ6T7hMo9iFcDSckY6hBcww cDUOdFlZyeWMmciR/UTLHMGmeoLilJKWZRlthgQA7fXdRPichujZjD2nrAJCLF7s3Lcp AyRuRpKA+H7TjMF3c1q8AmnCa01jme+aOtwaAZwfeKGIPtfuaYZqGy9ht3/pc3galU78 I+YB0kc7XAUghQ648d4G3HBqwv32KcWNtv6ufjt4+nv7UXi+r1peo7zJ/5VLEQdSxBVp 1NJPlWG1eECOkhXBznkwxjv12Vrqb7m2lRvBgsQtPJTpYBu4xQSwBmHd3e4ISn1/xYzO tBjg== X-Gm-Message-State: AMCzsaWxdpj19ePlpTXPgFz7wifJgiiIJ+GE3yT8BKogQQuwAukK7avx +XpKh8eqZvD+Ng0wme6VN2y19w7uriyeEg/HmKY= X-Google-Smtp-Source: ABhQp+SE1uQkt7a3iS8V29ypIoRSIHY5PT2qqce1mQWQ5iFCp0Y3amPONU8eQ6js57R6WUHs2zYaSQ6wRhtv8IxmUlc= X-Received: by 10.28.31.76 with SMTP id f73mr1621260wmf.139.1508176611549; Mon, 16 Oct 2017 10:56:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.86.70 with HTTP; Mon, 16 Oct 2017 10:56:50 -0700 (PDT) In-Reply-To: References: <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org> <201710161304.v9GD4Fbh011760@slippy.cwsent.com> From: Adrian Chadd Date: Mon, 16 Oct 2017 10:56:50 -0700 Message-ID: Subject: Re: cve-2017-13077 - WPA2 security vulni To: Kevin Oberman Cc: Cy Schubert , Lev Serebryakov , blubee blubeeme , Poul-Henning Kamp , FreeBSD current Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Oct 2017 17:56:53 -0000 Right, there are backported patches against 2.6, but we're running 2.5 in contrib/ . This is all "I'm out of time right now", so if someone wants to do the ports work and/or the contrib work with the patches for this vuln then please do. I should be able to get to it in the next few days but I'm busy with family and employment. -adrian On 16 October 2017 at 10:19, Kevin Oberman wrote: > On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd > wrote: >> >> hi, >> >> I got the patches a couple days ago. I've been busy with personal life >> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If >> someone beats me to it, great, otherwise I'll try to do it in the next >> couple days. >> >> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update >> everything to but so far nope. It should be easy enough to update the >> port for now as it's at 2.6. >> >> >> >> -adrian >> >> >> On 16 October 2017 at 06:04, Cy Schubert wrote: >> > In message <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org>, Lev >> > Serebryakov >> > writes: >> >> On 16.10.2017 13:38, blubee blubeeme wrote: >> >> >> >> > well, that's a cluster if I ever seen one. >> >> It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, >> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, >> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. >> > >> > The gory details are here: >> > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt >> > >> > The announcement is here: >> > https://www.krackattacks.com/ >> > >> > >> > -- >> > Cheers, >> > Cy Schubert >> > FreeBSD UNIX: Web: http://www.FreeBSD.org >> > >> > The need of the many outweighs the greed of the few. >> > > > > While I do not encourage waiting, it is quite likely that the upstream patch > wil show up very soon now that the vulnerability is public. > > It's also worth noting that fixing either end of the connection is all that > is required, as I understand it. So getting an update for your AP is not > required. That is very fortunate as the industry has a rather poor record of > getting out firmware updates for hardware more than a few months old. Also, > it appears that Windows and iOS are not vulnerable due to flaws in their > implementation of the WPA2 spec. (Of course, if you update your AP(s), you > no longer need to worry about your end devices. > -- > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkoberman@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683