cve-2017-13077 - WPA2 security vulni

Cy Schubert Cy.Schubert at komquats.com
Mon Oct 16 18:50:55 UTC 2017 

Eight patches have been posted so, it should be easy to patch 2.5, MFC, and bring head up to 2.6 later. This should avoid the risk of possible regressions.

I haven't looked at the ports.

---
Sent using a tiny phone keyboard. Apologies for any typos and autocorrect.

Cy Schubert
<Cy.Schubert at cschubert.com> or <cy at freebsd.org>

-----Original Message-----
From: Rodney W. Grimes
Sent: 16/10/2017 11:14
To: Kevin Oberman
Cc: Adrian Chadd; Cy Schubert; Lev Serebryakov; blubee blubeeme; Poul-Henning Kamp; FreeBSD current
Subject: Re: cve-2017-13077 - WPA2 security vulni

> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd <adrian.chadd at gmail.com>
> wrote:
> 
> > hi,
> >
> > I got the patches a couple days ago. I've been busy with personal life
> > stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If
> > someone beats me to it, great, otherwise I'll try to do it in the next
> > couple days.
> >
> > I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update
> > everything to but so far nope. It should be easy enough to update the
> > port for now as it's at 2.6.
> >
> >
> >
> > -adrian
> >
> >
> > On 16 October 2017 at 06:04, Cy Schubert <Cy.Schubert at komquats.com> wrote:
> > > In message <44161b4d-f834-a01d-6ddb-475f208762f9 at FreeBSD.org>, Lev
> > Serebryakov
> > > writes:
> > >> On 16.10.2017 13:38, blubee blubeeme wrote:
> > >>
> > >> > well, that's a cluster if I ever seen one.
> > >>  It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
> > >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
> > >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.
> > >
> > > The gory details are here: https://w1.fi/security/2017-1/
> > wpa-packet-number-reuse-with-replayed-messages.txt
> > >
> > > The announcement is here:
> > > https://www.krackattacks.com/
> > >
> > >
> > > --
> > > Cheers,
> > > Cy Schubert <Cy.Schubert at cschubert.com>
> > > FreeBSD UNIX:  <cy at FreeBSD.org>   Web:  http://www.FreeBSD.org
> > >
> > >         The need of the many outweighs the greed of the few.
> > >
> >
> 
> While I do not encourage waiting, it is quite likely that the upstream
> patch wil show up very soon now that the vulnerability is public.
> 
> It's also worth noting that fixing either end of the connection is all that
> is required, as I understand it. So getting an update for your AP is not
> required. That is very fortunate as the industry has a rather poor record
> of getting out firmware updates for hardware more than a few months old.
> Also, it appears that Windows and iOS are not vulnerable due to flaws in
> their implementation of the WPA2 spec. (Of course, if you update your
> AP(s), you no longer need to worry about your end devices.
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>From my reading of the attack it is the client side that must
be fixed, you can not mitigate the client side bug by an update
to the AP.

> --
> Kevin Oberman, Part time kid herder and retired Network Engineer
> E-mail: rkoberman at gmail.com
> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
> 

-- 
Rod Grimes                                                 rgrimes at freebsd.org

More information about the freebsd-current mailing list