16 Oct
2017
16 Oct
'17
8:56 a.m.
This appears to be somewhat serious; it will probably require people
to reflash the firmware in some or all of their wireless devices when
fixes become available. How one reflashes IoT devices is problematic.
- Brian
From ARSTechnica:
"The proof-of-concept exploit is called KRACK, short for Key
Reinstallation Attacks. The research has been a closely guarded
secret for weeks ahead of a coordinated disclosure that's scheduled
for 8 a.m. Monday, east coast time. An advisory the US CERT recently
distributed to about 100 organizations described the research this way:
"US-CERT has become aware of several key management vulnerabilities in
the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security
protocol. The impact of exploiting these vulnerabilities includes
decryption, packet replay, TCP connection hijacking, HTTP content
injection, and others. Note that as protocol-level issues, most or all
correct implementations of the standard will be affected. The CERT/CC
and the reporting researcher KU Leuven, will be publicly disclosing
these vulnerabilities on 16 October 2017."
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-…
16 Oct
16 Oct
9:24 a.m.
On 16 Oct 2017, at 09:56, Brian Kantor
<Brian(a)UCSD.Edu> wrote:
This appears to be somewhat serious; it will probably require people
to reflash the firmware in some or all of their wireless devices when
fixes become available. How one reflashes IoT devices is problematic.
From what I gather from several sources, seems to be
fixable from the AP
side (or at least can be mitigated).
Both Mikrotik and Ubiquiti have new firmware versions with a fix. Although
for now we don’t know wether it’s a core protocol vulnerability or an implementation
weakness.
I’ve applied the Ubiquiti fix, which is available from their beta program (enrolling is
a matter of clicking in a form) and so far so good, my zoo of wireless devices is not
complaining.
The fixed version from Ubiquiti is 3.9.3.7537
Mikrotik hasn’t given very clear information (one of their support reps said on their
forum
“we have fixes” but looking at their downloads and changelogs these versions seem to be
fixed:
6.39.3 (2017-Oct-12 11:24)
6.40.4 (2017-Oct-02 08:38):
In case anyone is following the -rc channel, 6.41rc44 is not yet fixed. I guess they will
release
a new rc version today or tomorrow.
Borja - EA2EKH
9:53 a.m.
On 16 Oct 2017, at 09:56, Brian Kantor
<Brian(a)UCSD.Edu> wrote:
This appears to be somewhat serious; it will probably require people
to reflash the firmware in some or all of their wireless devices when
fixes become available. How one reflashes IoT devices is problematic.
I’ve got a clarification from Mikrotik. I told them that the title of a forum post was a
bit misleading
"RouterOS NOT affected by WPA2 vulnerabilities” but turns out that they weren’t
indeed affected by the
“nonce reuse”.
I quote the whole answer below. I don’t have the full picture yet, but maybe Mikrotik
equipment is
not that urgent to patch after all.
"In the statement, we included a line, maybe it was not clearly phrased. One of the
biggest issues that was mentioned, never applied to RouterOS at all ("nonce
reuse"). We did include other general suggestions from CERT for key exchange
improvement.”
Borja - EA2EKH
10:29 a.m.
A rather informative page on this is
https://www.krackattacks.com/
- Brian
On 16 Oct 2017, at 09:56, Brian Kantor <Brian(a)UCSD.Edu> wrote:
This appears to be somewhat serious; it will probably
require people
to reflash the firmware in some or all of their wireless devices when
fixes become available.
10:50 a.m.
On 16 Oct 2017, at 11:29, Brian Kantor
<Brian(a)UCSD.Edu> wrote:
A rather informative page on this is
https://www.krackattacks.com/
Yep, and it’s even worse than it seemed. I was wrongly assumed that it affected mostly
APs.
Borja.
8:36 p.m.
All,
LEDE noted that they will release a version 17.01.4 to resolve this.
This is a bug in the common implementation of the WPA2 protocol; though,
a backwards-compatible fix can be implemented. For routers and other
embedded devices, this requires a new firmware to be released by the
manufacturers. For phones, the manufacturers must release an update.
Operating systems can be updated. It should be borne in mind, that the
fix for routers only resolves the security problem if the device is
being used as a Wired Bridge (e.g. the device is a client of another
access point). Therefore, it's very important to patch clients on the
WLAN, as well as the router.
If you use devices that are WiFi-enabled, which manufactures have/will
not not provide an upgrade - you should no longer consider their data to
be secure over-the-air.
Also, quite a few devices have a bug in the dnsmasq DHCP client
software. Updates for this are being released by router manufacturers as
well (LEDE released an update for this in 17.01.3).
73,
- Lynwood
KB3VWG
18 Oct
18 Oct
1:49 a.m.
All,
If anyone is interested in updating their current version of LEDE before
17.01.4 is released, follow the package update instructions here:
https://wiki.openwrt.org/doc/techref/opkg
# okpg update
# opkg list-upgradable
# (on some of my routers, the package was hostapd-common)
# (on others, it was hostapd-mini)
# opkg upgrade hostapd-common
73,
- Lynwood
KB3VWG
19 Oct
19 Oct
3:54 p.m.
All,
LEDE version 17.01.4 was released yesterday. It includes the Dnsmasq and
WPA2 security updates.
In addition, there's an AP-side Krack countermeasure added. Also, an
"Enable key reinstallation (KRACK) countermeasures" check box was added
to Wireless Security web GUI. To see the option in the 17.01.4 GUI,
you'll need to opkg upgrade, as the functionality was added after the
firmware release.
To enable the countermeasure from from the command line (from
https://forum.lede-project.org/t/critical-wifi-vulnerability-found-krack/74…):
uci set
wireless.(a)wifi-iface[0].wpa_disable_eapol_key_retries='1'
# If you have a second interface (usually one for 2.4GHz wifi and one
for 5GHZ), also type:
uci set wireless.(a)wifi-iface[1].wpa_disable_eapol_key_retries='1'
# Then save your changes and apply them by rebooting your device:
uci commit
reboot
73,
- Lynwood
KB3VWG
16 Oct
16 Oct
8:55 p.m.
Here is a really good FAQ from the wireless vendor Aruba:
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf
On Mon, Oct 16, 2017 at 4:50 AM, Borja Marcos <ea2ekh(a)gmail.com> wrote:
--
Neil Johnson
On 16 Oct 2017, at 11:29, Brian Kantor
<Brian(a)UCSD.Edu> wrote:
A rather informative page on this is
https://www.krackattacks.com/
Yep, and it’s even worse than it seemed. I was wrongly assumed that it
affected mostly APs.
Borja.
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
17 Oct
17 Oct
12:33 a.m.
new wpa supplicant pushed just hours ago on mint 18.2..
On 2017-10-16 04:56 AM, Brian Kantor wrote:
This appears to be somewhat serious; it will probably
require people
to reflash the firmware in some or all of their wireless devices when
fixes become available. How one reflashes IoT devices is problematic.
- Brian
From ARSTechnica:
"The proof-of-concept exploit is called KRACK, short for Key
Reinstallation Attacks. The research has been a closely guarded
secret for weeks ahead of a coordinated disclosure that's scheduled
for 8 a.m. Monday, east coast time. An advisory the US CERT recently
distributed to about 100 organizations described the research this way:
"US-CERT has become aware of several key management vulnerabilities in
the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security
protocol. The impact of exploiting these vulnerabilities includes
decryption, packet replay, TCP connection hijacking, HTTP content
injection, and others. Note that as protocol-level issues, most or all
correct implementations of the standard will be affected. The CERT/CC
and the reporting researcher KU Leuven, will be publicly disclosing
these vulnerabilities on 16 October 2017."
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-…
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
1 a.m.
VE1JOT,
My distro is upstream of yours (Ubuntu). It's now available as a
Security Update. I suppose all Debian-based systems should have an
update soon.
Old: 2.4-0ubuntu6
New: 2.4-0ubuntu6.2
* SECURITY UPDATE: Multiple issues in WPA protocol
- debian/patches/2017-1/*.patch: Add patches from Debian stretch
- CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087,
CVE-2017-13088
* SECURITY UPDATE: Denial of service issues
- debian/patches/2016-1/*.patch: Add patches from Debian stretch
- CVE-2016-4476
- CVE-2016-4477
* This package does _not_ contain the changes from 2.4-0ubuntu6.1 in
xenial-proposed.
73,
- Lynwood
KB3VWG
2392
days inactive
2395
days old
10 comments
5 participants
participants (5)
-
Borja Marcos -
Brian Kantor -
jj -
lleachii@aol.com -
Neil Johnson