-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear FreeBSD community,
As many have already noticed, there are a few newly disclosed WPA2
protocol vulnerabilities that affects wpa_supplicant and hostapd which
also affects all supported FreeBSD releases:
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
We are actively working on a patch for the base system to address these
issues. Current users who use Wi-Fi with WPA2 should use a wired
connection as a workaround, and we strongly recommend using end-to-end encryption methods like HTTPS or SSH to better protect against this type
of attack. Please note that a successful attack requires close
proximity to the victim systems.
Alternatively, we recommend wpa_supplicant users who are concerned with
the issue to install an updated version from the ports/packages
collection (version 2.6_2 or later). It can be installed via ports
with:
portsnap fetch update
cd /usr/ports/security/wpa_supplicant
make clean; make all deinstall install clean;
Change /etc/rc.conf to make use of the port/package version by adding:
wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"
And restart the Wi-Fi network interfaces or reboot the system.
Additional information about this remediation will be released as
SA-17:07 once it becomes available.
For more information about the vulnerabilities, please see the following
online resources:
https://www.krackattacks.com/ https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
Sincerely,
The FreeBSD Security Team
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnlNZRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P aucGZhAAhy2aYcwShA6qiFixQbnmlyYr83+djWRIdpS1UIVmH5d3p26uQI6l58r1 +9LriuqLa/AiEgbsRXllA4923zQ8dfZuKYY6LMh6DWO1EZv/ganr5lFtvTTZ952Z jeUndq84wIgTHQ7Bnjr3mDHMe5USXworlnIml/dj2+gNnEfr/Kkit+76JUTluHYZ KXyPuXOWlQSFseP0zipIEJXi5s/Z++3n+Jzw0yZUAoAmqU6r+yZkIWIQf209jicn 5EevBJPh+JG2KHh4am8uoObN3FTwtIasWJxX9gkU3/F3tQagBM9HmZLyYgvEdvTZ G0LjEQqXZeN3uzISRPZ0rNmMsEJQg6Y5HIF7mr8S7BcExXApGecoCRdVBq0HCB1F yJyPQiBMGsXX6eyAFhaHi9AZt/pxOa7ZbtM+q4AWej5FR1nWvWIbdjhi98tbCCTW EWjrrvrkADWq/2Hr0U/ky7sP+BYSl8Foqpzfh7isrjOiP65R9fpJ1VzU8jdeJ3vk K32D/SVeAs3uq5FJvFuhWbrpQ2+bDk0lFd6LwQGzOXa67QJtOvvn9Ulxy0U786b5 RjVC6G2HLTndWkLlYkcpMff7+m7UxNZXqmq8adNwUeMbEWfxmGkFN/1bBcBThr8J 0Yxpmw1yfMqcdf6/bAxdLaCbndZr+0rGWvaBwAzRZTP57ry29wQ=
=n5+i
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "
freebsd-announce-unsubscribe@freebsd.org"
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)