KRACK vulnerability in WPA2

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that's scheduled for 8am Monday, East Coast time. A website disclosing the vulnerability said it affects the core WPA2 protocol itself and is effective against devices running the Android, Linux, Apple, Windows, and OpenBSD operating systems, as well as MediaTek Linksys, and other types of devices. The site warned attackers can exploit it to decrypt a wealth of sensitive data that's normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol.

"This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."

..."Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations," the researchers explained. "For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps."

...Researchers briefed on the vulnerabilities said they are indexed as: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088. One researcher told Ars that Aruba and Ubiquiti, which sell wireless access points to large corporations and government organizations, already have updates available to patch or mitigate the vulnerabilities.

One more advantage of my trusty old ethernet cable...

EDIT: Looks like Arch fixed it today with wpa_supplicant version 1:2.6-11 (https://security.archlinux.org/AVG-447)

6 Likes

How is Manjaro handling this? Obviously this update needs to be fast-forwarded to stable soon.

The biggest problem with that are those millions of Accesspoints, all in one SoHo routers that will if ever get their updates in IT centuries ago....

The handshake - as far as I understood it - must be fixed on both sides?

Clients are the main target. Taken directly from https://www.krackattacks.com/:

What if there are no security updates for my router?
Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

3 Likes

I don't know how kosher this is, but I just downloaded the wpa_supplicant package from the Manjaro testing repo, manually checked the GPG signature, and installed it with "pacman -U". Pacman didn't need to upgrade any dependencies (I'm assuming it checked), so apparently it's a simple upgrade. If it really is that simple, I do wonder why this has not be pushed directly to stable. Sometimes, in dire cases like this, it seems like security might be more important than stability.

3 Likes

Yup, updated manually to 2.6-11 or whatever the patched version is and it runs fine, probably good to go on pushing it to stable.

1 Like

Another problem is that Android phones in the U.S.A. typically receive updates at the whim of service providers. I fear that it will not be a priority for service providers to push updates to every model of phone in use by their customers. This will probably leave millions of smartphones vulnerable to the attack.

Yeah, did more or less the same.

Agree.

+1 for pushing patch to stable.

Fixed with v1:2.6-8.1 in stable and with v1:2.6-11 in testing and unstable.

9 Likes

how can I get 1:2.6-8.1 on stable? I ran pacman-mirrors -f 0 and -Syy'd but I'm not getting any updates.

I had it uploaded. Please use the mirror Netzspielplatz based in Germany, which syncs every 5 minutes. Else wait until your mirror has the new package.

3 Likes

Thanks for the fast fix!

How is this a solution? This is an SEVERE issue. Pushing it to your testing and unstable repos is not how you handle these kind of security issues.

Did you actualy read his message?
The fix is in stable too. But the fix was backported
And built With all dependencies from stable branche.

2 Likes

Did you actually payed attention to the post?

I hope that is more clear now for you.

1 Like

LOL...

2 Likes

hostap is still missing from community, and affected: https://lists.manjaro.org/pipermail/manjaro-security/2017-October/000572.html

I also want to see the wpa_supplicant PKGBUILD for the backported patches.

he certainly use the PKGBUILD from arch and just modify the package number like this when the other package will be pushed from testing to stable it will also be updated.

Instead of pushing the fixed package from unstable/testing straight to stable? That makes no sense.

Forum kindly sponsored by