Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Oct 2017 10:19:28 -0700
From:      Kevin Oberman <rkoberman@gmail.com>
To:        Adrian Chadd <adrian.chadd@gmail.com>
Cc:        Cy Schubert <Cy.Schubert@komquats.com>, Lev Serebryakov <lev@freebsd.org>,  blubee blubeeme <gurenchan@gmail.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>,  FreeBSD current <freebsd-current@freebsd.org>
Subject:   Re: cve-2017-13077 - WPA2 security vulni
Message-ID:  <CAN6yY1tMsq3MAvaHb_MBUEzS_9yt8pQiDeLu8gYSdF19G=aCFg@mail.gmail.com>
In-Reply-To: <CAJ-VmonsZjn-9z9UC=DyEEUGEbTZ_nULVP_HWais_-fPgZLxNg@mail.gmail.com>
References:  <lev@FreeBSD.org> <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org> <201710161304.v9GD4Fbh011760@slippy.cwsent.com> <CAJ-VmonsZjn-9z9UC=DyEEUGEbTZ_nULVP_HWais_-fPgZLxNg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd <adrian.chadd@gmail.com>
wrote:

> hi,
>
> I got the patches a couple days ago. I've been busy with personal life
> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If
> someone beats me to it, great, otherwise I'll try to do it in the next
> couple days.
>
> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update
> everything to but so far nope. It should be easy enough to update the
> port for now as it's at 2.6.
>
>
>
> -adrian
>
>
> On 16 October 2017 at 06:04, Cy Schubert <Cy.Schubert@komquats.com> wrote:
> > In message <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org>, Lev
> Serebryakov
> > writes:
> >> On 16.10.2017 13:38, blubee blubeeme wrote:
> >>
> >> > well, that's a cluster if I ever seen one.
> >>  It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.
> >
> > The gory details are here: https://w1.fi/security/2017-1/
> wpa-packet-number-reuse-with-replayed-messages.txt
> >
> > The announcement is here:
> > https://www.krackattacks.com/
> >
> >
> > --
> > Cheers,
> > Cy Schubert <Cy.Schubert@cschubert.com>
> > FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org
> >
> >         The need of the many outweighs the greed of the few.
> >
>

While I do not encourage waiting, it is quite likely that the upstream
patch wil show up very soon now that the vulnerability is public.

It's also worth noting that fixing either end of the connection is all that
is required, as I understand it. So getting an update for your AP is not
required. That is very fortunate as the industry has a rather poor record
of getting out firmware updates for hardware more than a few months old.
Also, it appears that Windows and iOS are not vulnerable due to flaws in
their implementation of the WPA2 spec. (Of course, if you update your
AP(s), you no longer need to worry about your end devices.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1tMsq3MAvaHb_MBUEzS_9yt8pQiDeLu8gYSdF19G=aCFg>