This appears to be somewhat serious; it will probably require people to reflash the firmware in some or all of their wireless devices when fixes become available. How one reflashes IoT devices is problematic. - Brian
From ARSTechnica:
"The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8 a.m. Monday, east coast time. An advisory the US CERT recently distributed to about 100 organizations described the research this way:
"US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017."
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-p...
On 16 Oct 2017, at 09:56, Brian Kantor Brian@UCSD.Edu wrote:
This appears to be somewhat serious; it will probably require people to reflash the firmware in some or all of their wireless devices when fixes become available. How one reflashes IoT devices is problematic.
From what I gather from several sources, seems to be fixable from the AP
side (or at least can be mitigated).
Both Mikrotik and Ubiquiti have new firmware versions with a fix. Although for now we don’t know wether it’s a core protocol vulnerability or an implementation weakness.
I’ve applied the Ubiquiti fix, which is available from their beta program (enrolling is a matter of clicking in a form) and so far so good, my zoo of wireless devices is not complaining.
The fixed version from Ubiquiti is 3.9.3.7537
Mikrotik hasn’t given very clear information (one of their support reps said on their forum “we have fixes” but looking at their downloads and changelogs these versions seem to be fixed:
6.39.3 (2017-Oct-12 11:24) 6.40.4 (2017-Oct-02 08:38):
In case anyone is following the -rc channel, 6.41rc44 is not yet fixed. I guess they will release a new rc version today or tomorrow.
Borja - EA2EKH
On 16 Oct 2017, at 09:56, Brian Kantor Brian@UCSD.Edu wrote:
This appears to be somewhat serious; it will probably require people to reflash the firmware in some or all of their wireless devices when fixes become available. How one reflashes IoT devices is problematic.
I’ve got a clarification from Mikrotik. I told them that the title of a forum post was a bit misleading "RouterOS NOT affected by WPA2 vulnerabilities” but turns out that they weren’t indeed affected by the “nonce reuse”.
I quote the whole answer below. I don’t have the full picture yet, but maybe Mikrotik equipment is not that urgent to patch after all.
"In the statement, we included a line, maybe it was not clearly phrased. One of the biggest issues that was mentioned, never applied to RouterOS at all ("nonce reuse"). We did include other general suggestions from CERT for key exchange improvement.”
Borja - EA2EKH
A rather informative page on this is https://www.krackattacks.com/
- Brian
On 16 Oct 2017, at 09:56, Brian Kantor Brian@UCSD.Edu wrote:
This appears to be somewhat serious; it will probably require people to reflash the firmware in some or all of their wireless devices when fixes become available.
On 16 Oct 2017, at 11:29, Brian Kantor Brian@UCSD.Edu wrote:
A rather informative page on this is https://www.krackattacks.com/
Yep, and it’s even worse than it seemed. I was wrongly assumed that it affected mostly APs.
Borja.
All,
LEDE noted that they will release a version 17.01.4 to resolve this.
This is a bug in the common implementation of the WPA2 protocol; though, a backwards-compatible fix can be implemented. For routers and other embedded devices, this requires a new firmware to be released by the manufacturers. For phones, the manufacturers must release an update. Operating systems can be updated. It should be borne in mind, that the fix for routers only resolves the security problem if the device is being used as a Wired Bridge (e.g. the device is a client of another access point). Therefore, it's very important to patch clients on the WLAN, as well as the router.
If you use devices that are WiFi-enabled, which manufactures have/will not not provide an upgrade - you should no longer consider their data to be secure over-the-air.
Also, quite a few devices have a bug in the dnsmasq DHCP client software. Updates for this are being released by router manufacturers as well (LEDE released an update for this in 17.01.3).
73,
- Lynwood KB3VWG
All,
If anyone is interested in updating their current version of LEDE before 17.01.4 is released, follow the package update instructions here:
https://wiki.openwrt.org/doc/techref/opkg
# okpg update # opkg list-upgradable # (on some of my routers, the package was hostapd-common) # (on others, it was hostapd-mini) # opkg upgrade hostapd-common
73,
- Lynwood KB3VWG
All,
LEDE version 17.01.4 was released yesterday. It includes the Dnsmasq and WPA2 security updates.
In addition, there's an AP-side Krack countermeasure added. Also, an "Enable key reinstallation (KRACK) countermeasures" check box was added to Wireless Security web GUI. To see the option in the 17.01.4 GUI, you'll need to opkg upgrade, as the functionality was added after the firmware release.
To enable the countermeasure from from the command line (from https://forum.lede-project.org/t/critical-wifi-vulnerability-found-krack/745...):
uci set wireless.@wifi-iface[0].wpa_disable_eapol_key_retries='1' # If you have a second interface (usually one for 2.4GHz wifi and one for 5GHZ), also type: uci set wireless.@wifi-iface[1].wpa_disable_eapol_key_retries='1' # Then save your changes and apply them by rebooting your device: uci commit reboot
73,
- Lynwood KB3VWG
Here is a really good FAQ from the wireless vendor Aruba:
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf
On Mon, Oct 16, 2017 at 4:50 AM, Borja Marcos ea2ekh@gmail.com wrote:
On 16 Oct 2017, at 11:29, Brian Kantor Brian@UCSD.Edu wrote:
A rather informative page on this is https://www.krackattacks.com/
Yep, and it’s even worse than it seemed. I was wrongly assumed that it affected mostly APs.
Borja.
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
new wpa supplicant pushed just hours ago on mint 18.2..
On 2017-10-16 04:56 AM, Brian Kantor wrote:
This appears to be somewhat serious; it will probably require people to reflash the firmware in some or all of their wireless devices when fixes become available. How one reflashes IoT devices is problematic.
- Brian
From ARSTechnica:
"The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8 a.m. Monday, east coast time. An advisory the US CERT recently distributed to about 100 organizations described the research this way:
"US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017."
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-p...
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
VE1JOT,
My distro is upstream of yours (Ubuntu). It's now available as a Security Update. I suppose all Debian-based systems should have an update soon.
Old: 2.4-0ubuntu6 New: 2.4-0ubuntu6.2
* SECURITY UPDATE: Multiple issues in WPA protocol - debian/patches/2017-1/*.patch: Add patches from Debian stretch - CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 * SECURITY UPDATE: Denial of service issues - debian/patches/2016-1/*.patch: Add patches from Debian stretch - CVE-2016-4476 - CVE-2016-4477 * This package does _not_ contain the changes from 2.4-0ubuntu6.1 in xenial-proposed.
73,
- Lynwood KB3VWG
-
Borja Marcos -
Brian Kantor -
jj -
lleachii@aol.com -
Neil Johnson