Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now (zdnet.com) 140
An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks. Arris: a spokesperson said the company is "committed to the security of our devices and safeguarding the millions of subscribers who use them," and is "evaluating" its portfolio. The company did not say when it will release any patches.
Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.
AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."
Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."
"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.
"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," the spokesperson said.
In other words, some patches are available, but others are pending the investigation.
Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.
Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.
FreeBSD Project: There is no official response at the time of writing.
Google: Google told sister-site CNET that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."
HostAP: The Linux driver provider has issued several patches in response to the disclosure.
Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.
Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.
Netgear: Netgear has released fixes for some router hardware. The full list can be found here.
Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.
MikroTik: The vendor has already released patches that fix the vulnerabilities.
OpenBSD: Patches are now available.
Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.
Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members.
Wi-Fi Standard: A fix is available for vendors but not directly for end users.
Linux Mint (Score:2)
I just updated the WiFi exploit and Adobe flash for it. They have my back covered.
Re: (Score:1)
Re: (Score:2)
Looks like OpenSUSE also has updates for both issues now available.
Re: (Score:2)
Same on Fedora.
Re:Better list (Score:5, Informative)
Open BSD Linux ... WTF (Score:2)
Re: (Score:3)
well I do love how OpenBSD already fixed this months ago
Re:Open BSD Linux ... WTF (Score:5, Informative)
well I do love how OpenBSD already fixed this months ago
The discoverer of the vulnerability states on his website that openbsd (Theo Radt) broke the embargo in July. Not much to love with that, since it reduced the security of everybody else. You will notice that most everybody else (Google seems to have been asleep), had patches ready _today_. This was when the embargo was lifted.
Going to the discoverer's site ( https://www.krackattacks.com/ [krackattacks.com] ) last night got you a page that said, "just a test that domain name and webserver are working." Unlike Theo, he was honoring the embargo-- this morning, he posted info about the exploit on that website.
Re: (Score:2)
I guess it's hard to patch a vulnerability in an open source project without advertising that it exists. In the case of other OS projects with zero-day fixes they kept the patches quieter, but I'm sure people who were paying attention noticed.
Re: Open BSD Linux ... WTF (Score:1)
Yeah, a 4 month embargo.
At least they had time to make a cool Krack logo.
I suggest the next person that find a vulnerability just drops it and runs.
Re: (Score:3)
Re: (Score:2)
Why should Theo wait around for everyone else and leave his users vulnerable?
The whole point of an embargo is to maximize security. OpenBSD users weren't vulnerable. Until yesterday only a very select few people even knew how to perform the attack. On the flip side Theo by breaking the embargo not only made other users vulnerable, but also his own given that most of them probably wouldn't have considered the urgency of patching before it hit international news.
But for MONTHS?
You're not talking about a bug in Chrome here. We're talking about a but in WiFi affecting every OS and many millions of emb
Re: (Score:2)
Besides, patching one system does not magically make the others vulnerable. They were already vulnerable.
On all counts, your argument has no leg to stand on, and yet we continue to allow this horseshit that vendors release vuln informati
Re: (Score:2)
no, you have defective logic. bug fixes that don't happen for months lessen security, you are a shill for the lazy and incompetent. no one has to respect the wishes of such
Re: (Score:2)
Google seems to have been asleep
https://android-review.googles... [googlesource.com]
https://android-review.googles... [googlesource.com]
https://android-review.googles... [googlesource.com]
https://android-review.googles... [googlesource.com]
https://android-review.googles... [googlesource.com]
https://android-review.googles... [googlesource.com]
https://android-review.googles... [googlesource.com]
https://android-review.googles... [googlesource.com]
All of those patches were prepared some time ago, distributed to device makers, and landed in AOSP when the embargo lifted.
Re: (Score:2)
well I do love how OpenBSD already fixed this months ago
The discoverer didn't love it. In fact, in the Q&A on his web site he says: "To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo."
If OpenBSD doesn't honor embargoes, OpenBSD will not be informed of vulnerabilities until shortly before the public release. Hopefully, researchers are able to accurately guess how long it will take OpenBSD to release a fix. If they find guessing accurately to be too hard, they'll just have to be conserva
Re: (Score:3)
If OpenBSD doesn't honor embargoes,
"Hey I found a flaw in your OS. I am also telling shittons of other people about it. Please respect my embargo and not fix it for 6 months. ok thanks"
Yep.
The alternative is "Hey I found a flaw in your OS six months ago and told shittons of other people about it. I'm publishing it tomorrow. I didn't tell you earlier because you don't honor embargoes."
Re: (Score:2)
Only not if five months beforehand, Theo already issues a patch without having been on the original distribution list, via a thumb-sized hole in the shitton dike.
He can't be the only security professional out there convinced to his very marrow that six months is a total crock.
Re: (Score:2)
Only not if five months beforehand, Theo already issues a patch without having been on the original distribution list, via a thumb-sized hole in the shitton dike.
He can't be the only security professional out there convinced to his very marrow that six months is a total crock.
Six months is long, but probably a good idea in this case, because a lot of affected systems are hard to patch.
But regardless of what you think of the duration, violating embargoes is a very good way to get actively excluded from notification.
You only need to patch the CLIENT (Score:4, Interesting)
Just to be clear, you probably only need to patch the client devices, not the wireless access points. In particular, https://www.krackattacks.com [krackattacks.com] says the following:
Re: (Score:3, Informative)
Re: (Score:2, Informative)
NO! Read what you responded to (and the link): the exploit does not target access points, only clients. Patching the access point doesn't do anything unless the AP itself is a client to another AP. An unpatched client on a patched AP is still 100% vulnerable.
Patch your clients!
Re: (Score:1)
NO! Read what you responded to (and the link): the exploit does not target access points, only clients. Patching the access point doesn't do anything unless the AP itself is a client to another AP. An unpatched client on a patched AP is still 100% vulnerable.
Patch your clients!
I thought if either the client or the AP is patched, then neither is vulnerable. Where are you getting that unpatched clients on a patched AP are still vulnerable?
Re: (Score:1)
Yeah. I wouldn't spread this idea about not patching the APs. For people with older Android phones it may be their best[only] option.
What about your APs, Apple? (Score:1)
So when is Apple going to patch their router hardware?
Tim Cook may have forgotten that Apple sells wifi APs, but I haven't.
What about DD-WRT, Tomato and the others (Score:3)
Yup, what about them?
Well, in a reasonably quality article (on windows central), linked from the Crappy article linked on the front page of Slashdot (as ussual), they had the info for DD-WRT and LEDE (OpenWRT). It turns out that the Source has been modified already, but no firmware images produced yet.
Now, is just wait and see.
Here is the more decent article:
https://www.windowscentral.com... [windowscentral.com]
Re: (Score:2)
Hooray for OpenWRT. My WRT1200AC awaits a build.
Re: (Score:2)
Sorry to break it to you, but the general consensus seems to be "Migrate to LEDE, OpenWRT is dead". Your APs better have enough RAM and storage.
(That said, I'm running 15 OpenWRT APs myself, fun times ahead...)
Re: (Score:2)
Sorry to break it to you, but the general consensus seems to be "Migrate to LEDE, OpenWRT is dead". Your APs better have enough RAM and storage.
336 Linksys WRT1200AC v1 (caiman), v2 (caiman) 17.01.3 https://wiki.openwrt.org/toh/l... [openwrt.org]
Re:What about DD-WRT, Tomato and the others (Score:4, Informative)
From your link:
Official OpenWrt support for the WRT AC Series began under Chaos Calmer, with the LEDE Branch being the recommended Branch for the WRT AC Series
OpenWrt has not been actively maintained for the better part of a year and is no longer recommended for utilization.
Last major commits for OpenWrt were close to a year ago, and as such, LEDE is recommended for utilization.
Re: (Score:2)
My snippet was copied from https://lede-project.org/toh/s... [lede-project.org] so I'm doing OK here. I just haven't updated to lede yet. I am currently using an unofficial fork which has been updated more recently than two years ago, but not much.
Re: (Score:1)
Re: (Score:2)
Awesome, thank you SO much for that information!
(I spent the better part of today repeatedly bricking and unbricking a WRT1900ACS v2 in the attempt to migrate it from OpenWRT to LEDE and was literally just looking for my TTL-UART and JTAG programmer to bring in to work tomorrow to take it to the next level.)
You saved me a bunch of work!
Re: (Score:1)
For people on LEDE:
As the issue is mainly client side (such as when a router acts as a client of another router), two of the three fixes are in packages that can be updated without updating the whole firmware (or even rebooting the router). Updating wpad and hostapd should update them to version xxx-5 which fixes the issue.
There is also a kernel level fix that is going through the motions and will most likely mean 17.01.4 is out soon.
https://forum.lede-project.org... [lede-project.org]
Mitigation (Score:2)
One information I did not find is the status when the WPA supplicant is vulnerable and the AP is fixed. Is attack possible in that setup?
Also, WPA enterprise often use EAP/TTLS for authentication. KRACK seems unable to compromise what happens inside the TLS tunnel. Is that the case?
Re: (Score:1)
An attack is still possible. The attack is on vulnerable clients that are tricked into connecting to a rogue AP that is made to look exactly like your existing AP. Whether your AP is fixed or not doesn't matter as it can't stop the rogue AP from showing up. Once your vulnerable client connects to the rogue AP it can be attacked.
Considering your AP is not often a client too (client side is where the real issue is) and you rarely take your AP to other public places they are not the highest priority. The highe
Re: (Score:1)
The AP's can listen in on the rogues and figure out what's going on. At that point that can issue deauth's to disrupt it and force re-auths.
Re: (Score:2)
I've always had the cure here... apk (Score:1, Informative)
See subject: I don't USE that shit here @ home - wireless is for those who are NOT security-conscious or just ignorant of its track-record (like encryption is) - sooner or later, it's permeable, period.
* Am I bullshitting anyone here?
APK
P.S.=> I trust CABLES (shielded if/when possible) over 'wireless' by far (besides, copper's a FAR better conduit for signal than aerial beaming (wireless drops packets like mad vs. hardwired)- especially on TCP/IP protocols (TCP part demands 2-way handshakes, UDP doesn't)
Re: (Score:1)
Yeah but it's pretty safe to say that if anyone did tap your wires, they'd hit the disconnect button in a matter of seconds.
Then facepalm realizing they could have simply logged on to /. and browsed at -1 to see your life history...
Re: (Score:2)
Hate to disappoint you with facts, but lóngdông dàdáo means "East Dragon Highway". Lóng is "dragon", and dông is "East".
I heard a rumour recently to the effect that this is the 21st Century.
So why does Slashdot and Slashdot alone, of all the sites I visit, require me to use Pinyin instead of Hanzi? Even Ars Fucking Technica isn't afraid of legitimate uses for Unicode, but Slashdot...?
Re: (Score:2)
You must be new here.
Re: (Score:1)
We're not allowed to use Chinese here because they fear us plotting against the corrupt dictatorship of the modmins in a language they bù huì kàn dông.
how many products will be obsoleted by this? (Score:4, Insightful)
due to manufacturers and vendors choosing NOT to fix this for whatever reason (they simply don't care, not cost effective, not enough users to justify the effort, product no longer sold, product too old, product is EOL, etc, etc)....
vista and older are fucked, routers and access points older than about 3 years are fucked, wireless gear from lesser known companies are fucked, tablets from major vendors more than 3 years old are fucked, tablets from unknown vendors are fucked, phones that aren't current models are fucked.. there's a lot of gear that is going to be junk.. a LOT.
Re: (Score:2)
Really curious whether my girlfriend's iPhone 5 will get an update. It's now 5 years old, and didn't get the latest iOS 11 update from last month.
Re:how many products will be obsoleted by this? (Score:4, Informative)
In an ideal world, you'd patch both the client AND the AP. Doing so eliminates all the vulnerabilities.
But even if you can't, updating the AP already eliminates a whole class of vulnerabilities. Updating the client by itself, the same.
So the best results are had by updating everything. But even if you can't, updating the AP alone can help a lot.
So update what you can, and the older stuff, well, it was already vulnerable anyways from other flaws so I wouldn't worry too much about this.
My only question is where the UBNT stuff is... firmware 3.9 is supposed to fix it, but all I see for the Unifi stuff is 3.8.
Re: (Score:2)
Zero. Having network access is only a single layer in a security system. The loss of encryption here should not cause you to be in any great risk.
I mean you do still use SSL, passwords, and have up to date and patched OSes inside your network right?
RIGHT!?!
Re: (Score:2)
It allows an attacker to MITM one specific machine on a network. The rest relies on phishing attacks or other attacks to mimic and take over a connection. Even then that's a HUUUUGE amount of effort to get at a single user.
The attack vector gains access to attempt to exploit other vectors, nothing more. What this attack vector allows a person to do is anything they could previously do at any internet cafe, restaurant, airport, hotel, or any other place with open WiFi, and less. The "less" bit being the requ
Re: (Score:1)
Quite a few since it is only a matter of time before Intel's hardware backdoor that you can't disable (and AMD's equivalent) is fully compromised, if it hasn't been already. This exploit coupled with access to that thing means quite a few machines involving everyone from Apple and Dell to Linux mail servers and custom gaming rigs can be exposed. I think the risk is higher than it may first appear.
Re: (Score:1)
Whos going to change hardware because of some software vulnerability other than large companies and paranoid people?
Not going to replace teh almighty WRT54GL with 2.4-kernel based tomato
Good GOD (Score:2)
Re: (Score:2)
Re: (Score:2)
Snap, Crackle, Mitch, and Pop....
-- Mitch Hedberg
WEP Safe (Score:1)
I just switched to WEP, as it's not impacted. Much safer.
Re: (Score:2)
Nice try, but that one's already been done to death.
Can unpatched clients be blocked? (Score:2)
Re: (Score:3)
Obviously we need to migrate directly to WPA10. Or WPAX. Or WPA52.4.0. Or... What were we talking about, again, please?
Re: (Score:2)
It seems as if I was a bad guy, I would keep an unpatched device handy to do bad deeds and there's nothing anyone can do to stop me?
Having your own unpatched device would just allow you to break the security of the connection between your unpatched device and the AP. What you want is to break into the connection between someone else's device and the AP. If that other device is patched you can't do it.
Note that patching of APs isn't necessary unless the AP in question also acts as a client. So repeaters and mesh network nodes needs to be patched.
Re: (Score:2)
Likewise, can I tell my client not to connect to unpatched APs?
How do I tell if the hotel wifi is a trap or if it's OK?
quick question (Score:2)
Re: (Score:2)
Do I need to patch my Windows PC, my router, both, or exactly one of the two but it's not important which.
The most important in regards to this is the client. But you should patch both.
Re: (Score:2)
slashmydots inquired:
Do I need to patch my Windows PC, my router, both, or exactly one of the two but it's not important which.
If you're running Windows 9/10 and aren't blocking updates, your PC is already patched - so you're safe.
But, when and as an update for your router becomes available, you really should patch it too. Remember: belt, suspenders, AND staples ...
Excellent ! (Score:2)
Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.
+5 Funny !
I love that they put OpenBSD under "Linux" (Score:2)
From the article:
Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.
Does it even matter any more? (Score:3)
With Windows 10 and other OSs saving WiFi passwords to the cloud and sharing with who knows, WiFi security has taken a dump anyway.
Is there any way from the WiFi router to tell these OS incarnations "No, you do NOT have permissions to save these passwords!"?
Cat 6 is still available (Score:2)
lol (Score:2)
"While Windows machines are generally considered safe..."
I've never read those words in almost 20 years of coming here.
FreeBSD security advisory (Score:1)