From owner-freebsd-announce@freebsd.org Mon Oct 16 22:44:53 2017 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27D74E474D5 for ; Mon, 16 Oct 2017 22:44:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0C9C2709CF; Mon, 16 Oct 2017 22:44:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 92AE019FB; Mon, 16 Oct 2017 22:44:51 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20171016224451.92AE019FB@freefall.freebsd.org> Date: Mon, 16 Oct 2017 22:44:51 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Notice: WPA2 vulnerabilities X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Oct 2017 22:44:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear FreeBSD community, As many have already noticed, there are a few newly disclosed WPA2 protocol vulnerabilities that affects wpa_supplicant and hostapd which also affects all supported FreeBSD releases: A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used. We are actively working on a patch for the base system to address these issues. Current users who use Wi-Fi with WPA2 should use a wired connection as a workaround, and we strongly recommend using end-to-end encryption methods like HTTPS or SSH to better protect against this type of attack. Please note that a successful attack requires close proximity to the victim systems. Alternatively, we recommend wpa_supplicant users who are concerned with the issue to install an updated version from the ports/packages collection (version 2.6_2 or later). It can be installed via ports with: portsnap fetch update cd /usr/ports/security/wpa_supplicant make clean; make all deinstall install clean; Change /etc/rc.conf to make use of the port/package version by adding: wpa_supplicant_program="/usr/local/sbin/wpa_supplicant" And restart the Wi-Fi network interfaces or reboot the system. Additional information about this remediation will be released as SA-17:07 once it becomes available. For more information about the vulnerabilities, please see the following online resources: https://www.krackattacks.com/ https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt Sincerely, The FreeBSD Security Team -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnlNZRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P aucGZhAAhy2aYcwShA6qiFixQbnmlyYr83+djWRIdpS1UIVmH5d3p26uQI6l58r1 +9LriuqLa/AiEgbsRXllA4923zQ8dfZuKYY6LMh6DWO1EZv/ganr5lFtvTTZ952Z jeUndq84wIgTHQ7Bnjr3mDHMe5USXworlnIml/dj2+gNnEfr/Kkit+76JUTluHYZ KXyPuXOWlQSFseP0zipIEJXi5s/Z++3n+Jzw0yZUAoAmqU6r+yZkIWIQf209jicn 5EevBJPh+JG2KHh4am8uoObN3FTwtIasWJxX9gkU3/F3tQagBM9HmZLyYgvEdvTZ G0LjEQqXZeN3uzISRPZ0rNmMsEJQg6Y5HIF7mr8S7BcExXApGecoCRdVBq0HCB1F yJyPQiBMGsXX6eyAFhaHi9AZt/pxOa7ZbtM+q4AWej5FR1nWvWIbdjhi98tbCCTW EWjrrvrkADWq/2Hr0U/ky7sP+BYSl8Foqpzfh7isrjOiP65R9fpJ1VzU8jdeJ3vk K32D/SVeAs3uq5FJvFuhWbrpQ2+bDk0lFd6LwQGzOXa67QJtOvvn9Ulxy0U786b5 RjVC6G2HLTndWkLlYkcpMff7+m7UxNZXqmq8adNwUeMbEWfxmGkFN/1bBcBThr8J 0Yxpmw1yfMqcdf6/bAxdLaCbndZr+0rGWvaBwAzRZTP57ry29wQ= =n5+i -----END PGP SIGNATURE-----