From owner-freebsd-current@freebsd.org Mon Oct 16 17:19:29 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5B28E3FA3F for ; Mon, 16 Oct 2017 17:19:29 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8A0D6636D7; Mon, 16 Oct 2017 17:19:29 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-vk0-x231.google.com with SMTP id q13so8156377vkb.2; Mon, 16 Oct 2017 10:19:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=rVxPQkB293eSxcYPyFLne74aGMbavL2gA42/7JW7JI8=; b=UFKXK41M1Mb69NJ6c3phQ7eHBcJyWfNzGbtkfR6KfnMa/xkSdyMOhARkm33aQxa6c+ K2gLFxsuXx/jTYU5nhdG0803b7sCCxRSzv38uXKeqR9guG8IQDchdCorr7HJEtm6KL7O rgU3uDqM928AOu0qw2pH+stkxs+HapIAKqCMkhFe5GRpFIgxR7vVSE6oDGGYTi/wB8CT k0QJTEdwkrVcZr0FH0JQmlT4T8uVEKjvQp9waa3TfK7z4JDRhrJWdW5TqFibMKk91+gY NUCxt51B08US4t9V3xN1qOHmU+ltPKNtuwkqVJAtCCjpi0aHXeXEcqS3PFb/x5gmT8Rd UtcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=rVxPQkB293eSxcYPyFLne74aGMbavL2gA42/7JW7JI8=; b=Xjv3LxVIgXeJDLsqrFD0vAo18caJOlXj6eQQnpDU1V0NAwz6YQcyJ01j9lSDIRV7sU lSAg3B/YIIDAr5ZEIi58BSLy85PHPsCliHjCsYkEtdQcdl8LBiPiXxv97/lDrxdkz1Ee kVA38k8adj/s+6S6ghyTB6C2DIVML7lD4c6EkZA3u9rEHuVwtTvIIwEZvd90/iJWoMZy vmFaVPjvuXhK9jOhG5cTPuOHI/tB6uNFhaOWPjrIYtHRijK4OtXlR5PEIzcUK8M9rVRw brb7VHUbiH1sPn5drOhf0GE6j76a2fkGLWFVAUrI4Tv9dpUZCeNRYch6BAg5Afc2TNzi 1fMw== X-Gm-Message-State: AMCzsaWfdlgjwcC+inq5zAtSP4D9fuvvPuKpCKrlJlw7RA4Lpa4ikMSE Acqch82+mwLPexGao00OKG7tMg+6+P4PRlrLKXA= X-Google-Smtp-Source: ABhQp+R3M6WL8xZYovMuuoJ5LaKZzYrKWeUvkA3TD/J2i/hPpe+MbuGZXY3HcVxKfZan8DDnonwWT2nXKAfH2DekfFI= X-Received: by 10.31.66.68 with SMTP id p65mr1089864vka.0.1508174368457; Mon, 16 Oct 2017 10:19:28 -0700 (PDT) MIME-Version: 1.0 Sender: kob6558@gmail.com Received: by 10.103.85.8 with HTTP; Mon, 16 Oct 2017 10:19:28 -0700 (PDT) In-Reply-To: References: <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org> <201710161304.v9GD4Fbh011760@slippy.cwsent.com> From: Kevin Oberman Date: Mon, 16 Oct 2017 10:19:28 -0700 X-Google-Sender-Auth: zDFM0Kq5X1s7K1E2Sd-9Leihvck Message-ID: Subject: Re: cve-2017-13077 - WPA2 security vulni To: Adrian Chadd Cc: Cy Schubert , Lev Serebryakov , blubee blubeeme , Poul-Henning Kamp , FreeBSD current Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Oct 2017 17:19:29 -0000 On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd wrote: > hi, > > I got the patches a couple days ago. I've been busy with personal life > stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If > someone beats me to it, great, otherwise I'll try to do it in the next > couple days. > > I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update > everything to but so far nope. It should be easy enough to update the > port for now as it's at 2.6. > > > > -adrian > > > On 16 October 2017 at 06:04, Cy Schubert wrote: > > In message <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org>, Lev > Serebryakov > > writes: > >> On 16.10.2017 13:38, blubee blubeeme wrote: > >> > >> > well, that's a cluster if I ever seen one. > >> It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, > >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, > >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. > > > > The gory details are here: https://w1.fi/security/2017-1/ > wpa-packet-number-reuse-with-replayed-messages.txt > > > > The announcement is here: > > https://www.krackattacks.com/ > > > > > > -- > > Cheers, > > Cy Schubert > > FreeBSD UNIX: Web: http://www.FreeBSD.org > > > > The need of the many outweighs the greed of the few. > > > While I do not encourage waiting, it is quite likely that the upstream patch wil show up very soon now that the vulnerability is public. It's also worth noting that fixing either end of the connection is all that is required, as I understand it. So getting an update for your AP is not required. That is very fortunate as the industry has a rather poor record of getting out firmware updates for hardware more than a few months old. Also, it appears that Windows and iOS are not vulnerable due to flaws in their implementation of the WPA2 spec. (Of course, if you update your AP(s), you no longer need to worry about your end devices. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683