From owner-freebsd-current@freebsd.org  Mon Oct 16 18:09:40 2017
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39528E40F00
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Mon, 16 Oct 2017 18:09:40 +0000 (UTC)
 (envelope-from oliver.pinter@hardenedbsd.org)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com
 [IPv6:2a00:1450:400c:c09::22e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B32A1669FA
 for <freebsd-current@freebsd.org>; Mon, 16 Oct 2017 18:09:39 +0000 (UTC)
 (envelope-from oliver.pinter@hardenedbsd.org)
Received: by mail-wm0-x22e.google.com with SMTP id k4so5742003wmc.1
 for <freebsd-current@freebsd.org>; Mon, 16 Oct 2017 11:09:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=jL0pJAUnh1X+j+cbXMyl3G0ETRhhOEVz/2O5ffKJEFw=;
 b=qDhwP7F608n8a+8GGneht+xwSZpfnsinXBb85jOF4nOw12uR3SFCaVW5FjaLv7iFeH
 KuTVWE7g7QFuXMclelvqJ4hGAlQ1nthlaZqrwhpSihKrogmOyXb93pzsTyexOMc2FYt1
 2YhzJz7uKldAq190MoThTf3flZ0cdsyM364a6CJyMNDFzA/Lf3nm1EtyjgXl2yFuRXH4
 ImgDtLV8PLjo3mkYsMLco9t/Wc1Bkkn+8fBKxGF/AzIt1mcKW+kAO3Kq5KpbPHTFX0lo
 8PBhhLOeG8iBRgsd16O0oIqOqqbPw7FKD5+v5u8gzdVYf45NkGT4J2srSHzbE7Y/Hkm7
 rCYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=jL0pJAUnh1X+j+cbXMyl3G0ETRhhOEVz/2O5ffKJEFw=;
 b=aDK10TlQLH+bKD3ZjBkMeH4bhjpkHIzL7zhgArC2H1n3NPDs02iOi6I8Nf/V5qCdgI
 Zm599DZwsSgk0Bfr+gF0l1mdqXwTVFQK8YGSepdnKFXWpt7qINntq3mYq9e0mRvnf9C/
 hMTK5lheY3GJeFG24WRRYAgsp+McANS8AWTrwduauPv0zLjXEuDCYdA/2WmBFd0t81jU
 eOYZhshgqAhCv+TliXiVIcMZjamfjmQtZhXvx31pW0PjlkemoyJWfaoyO4bNPoi7Ub8x
 CptgfbVOZs8ST3HQIAZsBJrTCUgxYdZCIPuZrGfVGqYNThkUj8w61DU/1P1ncmQeNUyO
 5Yag==
X-Gm-Message-State: AMCzsaWprGWtXbi9M0ILeVuzT/Cb5e/Onlkfkjchlxx1xIwsYRbrg1h7
 8U2xsnw03J9nHHzUkhjf6Qbiy4fq1uVZtfjOzNNnZA==
X-Google-Smtp-Source: AOwi7QAhsp5ic4MCCWVwUzyE/tQ5LmVjJuyl8JK4x5Dt/mepgAQf1vTpzAnmr/EwVy8KnI53qa4RJhNOaBrJymeRC7A=
X-Received: by 10.80.195.4 with SMTP id a4mr14022692edb.142.1508177378051;
 Mon, 16 Oct 2017 11:09:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.135.21 with HTTP; Mon, 16 Oct 2017 11:09:37 -0700 (PDT)
In-Reply-To: <CAJ-VmonoCf3GHn6Z+fRv5qcwK5VL63Hx+c3gwn_=QRwAE8mvoQ@mail.gmail.com>
References: <lev@FreeBSD.org>
 <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org>
 <201710161304.v9GD4Fbh011760@slippy.cwsent.com>
 <CAJ-VmonsZjn-9z9UC=DyEEUGEbTZ_nULVP_HWais_-fPgZLxNg@mail.gmail.com>
 <CAN6yY1tMsq3MAvaHb_MBUEzS_9yt8pQiDeLu8gYSdF19G=aCFg@mail.gmail.com>
 <CAJ-VmonoCf3GHn6Z+fRv5qcwK5VL63Hx+c3gwn_=QRwAE8mvoQ@mail.gmail.com>
From: Oliver Pinter <oliver.pinter@hardenedbsd.org>
Date: Mon, 16 Oct 2017 20:09:37 +0200
Message-ID: <CAPQ4ffua_eQ24z6a8XSH=CCBbqrXV6vXzMD5QgSGmYi198wX4w@mail.gmail.com>
Subject: Re: cve-2017-13077 - WPA2 security vulni
To: Adrian Chadd <adrian.chadd@gmail.com>
Cc: Kevin Oberman <rkoberman@gmail.com>, Cy Schubert <Cy.Schubert@komquats.com>,
 Lev Serebryakov <lev@freebsd.org>, blubee blubeeme <gurenchan@gmail.com>, 
 Poul-Henning Kamp <phk@phk.freebsd.dk>,
 FreeBSD current <freebsd-current@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2017 18:09:40 -0000

Hi Adrian!

How big effort is to update he in-tree wpa_supplicant/hostapd to the
latest supported version?
Is there any known regression / feature loss when do the upgrade?

On 10/16/17, Adrian Chadd <adrian.chadd@gmail.com> wrote:
> Right, there are backported patches against 2.6, but we're running 2.5
> in contrib/ .
>
> This is all "I'm out of time right now", so if someone wants to do the
> ports work and/or the contrib work with the patches for this vuln then
> please do. I should be able to get to it in the next few days but I'm
> busy with family and employment.
>
>
>
> -adrian
>
>
> On 16 October 2017 at 10:19, Kevin Oberman <rkoberman@gmail.com> wrote:
>> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd <adrian.chadd@gmail.com>
>> wrote:
>>>
>>> hi,
>>>
>>> I got the patches a couple days ago. I've been busy with personal life
>>> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If
>>> someone beats me to it, great, otherwise I'll try to do it in the next
>>> couple days.
>>>
>>> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update
>>> everything to but so far nope. It should be easy enough to update the
>>> port for now as it's at 2.6.
>>>
>>>
>>>
>>> -adrian
>>>
>>>
>>> On 16 October 2017 at 06:04, Cy Schubert <Cy.Schubert@komquats.com>
>>> wrote:
>>> > In message <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org>, Lev
>>> > Serebryakov
>>> > writes:
>>> >> On 16.10.2017 13:38, blubee blubeeme wrote:
>>> >>
>>> >> > well, that's a cluster if I ever seen one.
>>> >>  It is really cluster: CVE-2017-13077, CVE-2017-13078,
>>> >> CVE-2017-13079,
>>> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
>>> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.
>>> >
>>> > The gory details are here:
>>> > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
>>> >
>>> > The announcement is here:
>>> > https://www.krackattacks.com/
>>> >
>>> >
>>> > --
>>> > Cheers,
>>> > Cy Schubert <Cy.Schubert@cschubert.com>
>>> > FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org
>>> >
>>> >         The need of the many outweighs the greed of the few.
>>> >
>>
>>
>> While I do not encourage waiting, it is quite likely that the upstream
>> patch
>> wil show up very soon now that the vulnerability is public.
>>
>> It's also worth noting that fixing either end of the connection is all
>> that
>> is required, as I understand it. So getting an update for your AP is not
>> required. That is very fortunate as the industry has a rather poor record
>> of
>> getting out firmware updates for hardware more than a few months old.
>> Also,
>> it appears that Windows and iOS are not vulnerable due to flaws in their
>> implementation of the WPA2 spec. (Of course, if you update your AP(s),
>> you
>> no longer need to worry about your end devices.
>> --
>> Kevin Oberman, Part time kid herder and retired Network Engineer
>> E-mail: rkoberman@gmail.com
>> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
>