Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Wireless Networking Communications Network Privacy Security Software Technology

Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now (zdnet.com) 140

An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks.

Arris: a spokesperson said the company is "committed to the security of our devices and safeguarding the millions of subscribers who use them," and is "evaluating" its portfolio. The company did not say when it will release any patches.

Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.

AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."

Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," the spokesperson said.

In other words, some patches are available, but others are pending the investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.

Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Google: Google told sister-site CNET that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."

HostAP: The Linux driver provider has issued several patches in response to the disclosure.

Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.

Netgear: Netgear has released fixes for some router hardware. The full list can be found here.

Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.

MikroTik: The vendor has already released patches that fix the vulnerabilities.

OpenBSD: Patches are now available.

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.

Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members.

Wi-Fi Standard: A fix is available for vendors but not directly for end users.
This discussion has been archived. No new comments can be posted.

Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now

Comments Filter:
  • I just updated the WiFi exploit and Adobe flash for it. They have my back covered.

    • Looks like OpenSUSE also has updates for both issues now available.

    • by r1348 ( 2567295 )

      Same on Fedora.

  • I love how the section on Linux patch availability talks about one of the BSDs. Always good to hear about your mission critical patches from people who don't know the difference.
    • well I do love how OpenBSD already fixed this months ago

      • by Anonymous Coward on Monday October 16, 2017 @11:39PM (#55381273)

        well I do love how OpenBSD already fixed this months ago

        The discoverer of the vulnerability states on his website that openbsd (Theo Radt) broke the embargo in July. Not much to love with that, since it reduced the security of everybody else. You will notice that most everybody else (Google seems to have been asleep), had patches ready _today_. This was when the embargo was lifted.

        Going to the discoverer's site ( https://www.krackattacks.com/ [krackattacks.com] ) last night got you a page that said, "just a test that domain name and webserver are working." Unlike Theo, he was honoring the embargo-- this morning, he posted info about the exploit on that website.

        • by AmiMoJo ( 196126 )

          I guess it's hard to patch a vulnerability in an open source project without advertising that it exists. In the case of other OS projects with zero-day fixes they kept the patches quieter, but I'm sure people who were paying attention noticed.

        • by Anonymous Coward

          Yeah, a 4 month embargo.
          At least they had time to make a cool Krack logo.

          I suggest the next person that find a vulnerability just drops it and runs.

        • Comment removed based on user account deletion
          • Why should Theo wait around for everyone else and leave his users vulnerable?

            The whole point of an embargo is to maximize security. OpenBSD users weren't vulnerable. Until yesterday only a very select few people even knew how to perform the attack. On the flip side Theo by breaking the embargo not only made other users vulnerable, but also his own given that most of them probably wouldn't have considered the urgency of patching before it hit international news.

            But for MONTHS?

            You're not talking about a bug in Chrome here. We're talking about a but in WiFi affecting every OS and many millions of emb

            • by jofas ( 1081977 )
              The _real_ point of an embargo is to allow those businesses participating in the embargo to save face. The embargo does not serve the user. Theo could have specifed that his patch was simply good practice, which is true. He did not advertise the reason for the patch either.
              Besides, patching one system does not magically make the others vulnerable. They were already vulnerable.
              On all counts, your argument has no leg to stand on, and yet we continue to allow this horseshit that vendors release vuln informati
            • no, you have defective logic. bug fixes that don't happen for months lessen security, you are a shill for the lazy and incompetent. no one has to respect the wishes of such

        • Google seems to have been asleep

          https://android-review.googles... [googlesource.com]
          https://android-review.googles... [googlesource.com]
          https://android-review.googles... [googlesource.com]
          https://android-review.googles... [googlesource.com]
          https://android-review.googles... [googlesource.com]
          https://android-review.googles... [googlesource.com]
          https://android-review.googles... [googlesource.com]
          https://android-review.googles... [googlesource.com]

          All of those patches were prepared some time ago, distributed to device makers, and landed in AOSP when the embargo lifted.

      • well I do love how OpenBSD already fixed this months ago

        The discoverer didn't love it. In fact, in the Q&A on his web site he says: "To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo."

        If OpenBSD doesn't honor embargoes, OpenBSD will not be informed of vulnerabilities until shortly before the public release. Hopefully, researchers are able to accurately guess how long it will take OpenBSD to release a fix. If they find guessing accurately to be too hard, they'll just have to be conserva

  • by Anonymous Coward on Monday October 16, 2017 @07:16PM (#55380475)

    Just to be clear, you probably only need to patch the client devices, not the wireless access points. In particular, https://www.krackattacks.com [krackattacks.com] says the following:

    Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. ... For ordinary home users, your priority should be updating clients such as laptops and smartphones.

    • Re: (Score:3, Informative)

      by billrp ( 1530055 )
      Or patch the router to protect those clients that have not yet been patch.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        NO! Read what you responded to (and the link): the exploit does not target access points, only clients. Patching the access point doesn't do anything unless the AP itself is a client to another AP. An unpatched client on a patched AP is still 100% vulnerable.

        Patch your clients!

        • by Anonymous Coward

          NO! Read what you responded to (and the link): the exploit does not target access points, only clients. Patching the access point doesn't do anything unless the AP itself is a client to another AP. An unpatched client on a patched AP is still 100% vulnerable.

          Patch your clients!

          I thought if either the client or the AP is patched, then neither is vulnerable. Where are you getting that unpatched clients on a patched AP are still vulnerable?

    • by Anonymous Coward

      Yeah. I wouldn't spread this idea about not patching the APs. For people with older Android phones it may be their best[only] option.

  • by Anonymous Coward

    So when is Apple going to patch their router hardware?

    Tim Cook may have forgotten that Apple sells wifi APs, but I haven't.

  • by williamyf ( 227051 ) on Monday October 16, 2017 @07:48PM (#55380595)

    Yup, what about them?

    Well, in a reasonably quality article (on windows central), linked from the Crappy article linked on the front page of Slashdot (as ussual), they had the info for DD-WRT and LEDE (OpenWRT). It turns out that the Source has been modified already, but no firmware images produced yet.

    Now, is just wait and see.

    Here is the more decent article:
    https://www.windowscentral.com... [windowscentral.com]

    • Hooray for OpenWRT. My WRT1200AC awaits a build.

      • by fisted ( 2295862 )

        Sorry to break it to you, but the general consensus seems to be "Migrate to LEDE, OpenWRT is dead". Your APs better have enough RAM and storage.
        (That said, I'm running 15 OpenWRT APs myself, fun times ahead...)

        • Sorry to break it to you, but the general consensus seems to be "Migrate to LEDE, OpenWRT is dead". Your APs better have enough RAM and storage.

          336 Linksys WRT1200AC v1 (caiman), v2 (caiman) 17.01.3 https://wiki.openwrt.org/toh/l... [openwrt.org]

          • by fisted ( 2295862 ) on Tuesday October 17, 2017 @06:13AM (#55381967)

            From your link:

            Official OpenWrt support for the WRT AC Series began under Chaos Calmer, with the LEDE Branch being the recommended Branch for the WRT AC Series

            OpenWrt has not been actively maintained for the better part of a year and is no longer recommended for utilization.
            Last major commits for OpenWrt were close to a year ago, and as such, LEDE is recommended for utilization.

        • by eguaj ( 612494 )
          Looks like OpenWRT will release a Chaos Calmer 15.05.1a (or 15.05.2) with fixes for dropbear, *ssl, dnsmasq, and hostapd binaries : https://forum.openwrt.org/view... [openwrt.org]
          • by fisted ( 2295862 )

            Awesome, thank you SO much for that information!

            (I spent the better part of today repeatedly bricking and unbricking a WRT1900ACS v2 in the attempt to migrate it from OpenWRT to LEDE and was literally just looking for my TTL-UART and JTAG programmer to bring in to work tomorrow to take it to the next level.)
            You saved me a bunch of work!

    • For people on LEDE:
      As the issue is mainly client side (such as when a router acts as a client of another router), two of the three fixes are in packages that can be updated without updating the whole firmware (or even rebooting the router). Updating wpad and hostapd should update them to version xxx-5 which fixes the issue.

      There is also a kernel level fix that is going through the motions and will most likely mean 17.01.4 is out soon.

      https://forum.lede-project.org... [lede-project.org]

  • One information I did not find is the status when the WPA supplicant is vulnerable and the AP is fixed. Is attack possible in that setup?

    Also, WPA enterprise often use EAP/TTLS for authentication. KRACK seems unable to compromise what happens inside the TLS tunnel. Is that the case?

    • An attack is still possible. The attack is on vulnerable clients that are tricked into connecting to a rogue AP that is made to look exactly like your existing AP. Whether your AP is fixed or not doesn't matter as it can't stop the rogue AP from showing up. Once your vulnerable client connects to the rogue AP it can be attacked.

      Considering your AP is not often a client too (client side is where the real issue is) and you rarely take your AP to other public places they are not the highest priority. The highe

      • by Anonymous Coward

        The AP's can listen in on the rogues and figure out what's going on. At that point that can issue deauth's to disrupt it and force re-auths.

      • When using EAP-TTLS, there is a TLS handshake where the WPA supplicant has the opportunity to validate the authenticating server through a x509 certificate. That extra layer is not easy to break.
  • by Anonymous Coward

    See subject: I don't USE that shit here @ home - wireless is for those who are NOT security-conscious or just ignorant of its track-record (like encryption is) - sooner or later, it's permeable, period.

    * Am I bullshitting anyone here?

    APK

    P.S.=> I trust CABLES (shielded if/when possible) over 'wireless' by far (besides, copper's a FAR better conduit for signal than aerial beaming (wireless drops packets like mad vs. hardwired)- especially on TCP/IP protocols (TCP part demands 2-way handshakes, UDP doesn't)

    • by Anonymous Coward

      Yeah but it's pretty safe to say that if anyone did tap your wires, they'd hit the disconnect button in a matter of seconds.

      Then facepalm realizing they could have simply logged on to /. and browsed at -1 to see your life history...

  • by Anonymous Coward on Monday October 16, 2017 @09:02PM (#55380893)

    due to manufacturers and vendors choosing NOT to fix this for whatever reason (they simply don't care, not cost effective, not enough users to justify the effort, product no longer sold, product too old, product is EOL, etc, etc)....

    vista and older are fucked, routers and access points older than about 3 years are fucked, wireless gear from lesser known companies are fucked, tablets from major vendors more than 3 years old are fucked, tablets from unknown vendors are fucked, phones that aren't current models are fucked.. there's a lot of gear that is going to be junk.. a LOT.

    • Really curious whether my girlfriend's iPhone 5 will get an update. It's now 5 years old, and didn't get the latest iOS 11 update from last month.

    • by tlhIngan ( 30335 ) <slashdot&worf,net> on Tuesday October 17, 2017 @02:04AM (#55381605)

      due to manufacturers and vendors choosing NOT to fix this for whatever reason (they simply don't care, not cost effective, not enough users to justify the effort, product no longer sold, product too old, product is EOL, etc, etc)....

      In an ideal world, you'd patch both the client AND the AP. Doing so eliminates all the vulnerabilities.

      But even if you can't, updating the AP already eliminates a whole class of vulnerabilities. Updating the client by itself, the same.

      So the best results are had by updating everything. But even if you can't, updating the AP alone can help a lot.

      So update what you can, and the older stuff, well, it was already vulnerable anyways from other flaws so I wouldn't worry too much about this.

      My only question is where the UBNT stuff is... firmware 3.9 is supposed to fix it, but all I see for the Unifi stuff is 3.8.

    • Zero. Having network access is only a single layer in a security system. The loss of encryption here should not cause you to be in any great risk.

      I mean you do still use SSL, passwords, and have up to date and patched OSes inside your network right?

      RIGHT!?!

      • Quite a few since it is only a matter of time before Intel's hardware backdoor that you can't disable (and AMD's equivalent) is fully compromised, if it hasn't been already. This exploit coupled with access to that thing means quite a few machines involving everyone from Apple and Dell to Linux mail servers and custom gaming rigs can be exposed. I think the risk is higher than it may first appear.

    • by l20502 ( 4813775 )
      obsoleted?
      Whos going to change hardware because of some software vulnerability other than large companies and paranoid people?

      Not going to replace teh almighty WRT54GL with 2.4-kernel based tomato
  • Stop naming exploits! KRACK is idiotic. I wish heartbleed and shellshock had not been as nameable and chic.
  • by Anonymous Coward

    I just switched to WEP, as it's not impacted. Much safer.

  • On the krack attacks site, teh question is asked: "Do we now need WPA3?", and answered: "No". Yet the last sentence in that paragraph is: "Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks"! So my question is, how do we block unpatched clients from our wireless networks? It seems as if I was a bad guy, I would keep an unpatched device handy to do bad deeds and there's nothing anyone can do to stop me?
    • Obviously we need to migrate directly to WPA10. Or WPAX. Or WPA52.4.0. Or... What were we talking about, again, please?

    • It seems as if I was a bad guy, I would keep an unpatched device handy to do bad deeds and there's nothing anyone can do to stop me?

      Having your own unpatched device would just allow you to break the security of the connection between your unpatched device and the AP. What you want is to break into the connection between someone else's device and the AP. If that other device is patched you can't do it.

      Note that patching of APs isn't necessary unless the AP in question also acts as a client. So repeaters and mesh network nodes needs to be patched.

    • by dkman ( 863999 )

      Likewise, can I tell my client not to connect to unpatched APs?
      How do I tell if the hotel wifi is a trap or if it's OK?

  • Do I need to patch my Windows PC, my router, both, or exactly one of the two but it's not important which.
    • by Binestar ( 28861 )

      Do I need to patch my Windows PC, my router, both, or exactly one of the two but it's not important which.

      The most important in regards to this is the client. But you should patch both.

    • by thomst ( 1640045 )

      slashmydots inquired:

      Do I need to patch my Windows PC, my router, both, or exactly one of the two but it's not important which.

      If you're running Windows 9/10 and aren't blocking updates, your PC is already patched - so you're safe.

      But, when and as an update for your router becomes available, you really should patch it too. Remember: belt, suspenders, AND staples ...

  • Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.

    +5 Funny !

  • From the article:

    Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.

  • by KlomDark ( 6370 ) on Tuesday October 17, 2017 @09:18AM (#55382587) Homepage Journal

    With Windows 10 and other OSs saving WiFi passwords to the cloud and sharing with who knows, WiFi security has taken a dump anyway.

    Is there any way from the WiFi router to tell these OS incarnations "No, you do NOT have permissions to save these passwords!"?

  • Use a weak transmitter at various points at your home. Like the old blue tooth. End of problem.
  • by sootman ( 158191 )

    "While Windows machines are generally considered safe..."

    I've never read those words in almost 20 years of coming here.

You know you've landed gear-up when it takes full power to taxi.

Working...