1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.ANN

  • [FreeBSD-Announce] FreeBSD Security Notice: WPA2 vulnerabilities

    From FreeBSD Security Advisories@21:1/5 to All on Mon Oct 16 23:00:00 2017
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Dear FreeBSD community,

    As many have already noticed, there are a few newly disclosed WPA2
    protocol vulnerabilities that affects wpa_supplicant and hostapd which
    also affects all supported FreeBSD releases:

    A vulnerability was found in how a number of implementations can be
    triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
    replaying a specific frame that is used to manage the keys.

    Such reinstallation of the encryption key can result in two different
    types of vulnerabilities: disabling replay protection and significantly
    reducing the security of encryption to the point of allowing frames to
    be decrypted or some parts of the keys to be determined by an attacker
    depending on which cipher is used.

    We are actively working on a patch for the base system to address these
    issues. Current users who use Wi-Fi with WPA2 should use a wired
    connection as a workaround, and we strongly recommend using end-to-end encryption methods like HTTPS or SSH to better protect against this type
    of attack. Please note that a successful attack requires close
    proximity to the victim systems.

    Alternatively, we recommend wpa_supplicant users who are concerned with
    the issue to install an updated version from the ports/packages
    collection (version 2.6_2 or later). It can be installed via ports
    with:

    portsnap fetch update
    cd /usr/ports/security/wpa_supplicant
    make clean; make all deinstall install clean;

    Change /etc/rc.conf to make use of the port/package version by adding:

    wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"

    And restart the Wi-Fi network interfaces or reboot the system.

    Additional information about this remediation will be released as
    SA-17:07 once it becomes available.

    For more information about the vulnerabilities, please see the following
    online resources:
    https://www.krackattacks.com/ https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

    Sincerely,
    The FreeBSD Security Team

    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnlNZRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P aucGZhAAhy2aYcwShA6qiFixQbnmlyYr83+djWRIdpS1UIVmH5d3p26uQI6l58r1 +9LriuqLa/AiEgbsRXllA4923zQ8dfZuKYY6LMh6DWO1EZv/ganr5lFtvTTZ952Z jeUndq84wIgTHQ7Bnjr3mDHMe5USXworlnIml/dj2+gNnEfr/Kkit+76JUTluHYZ KXyPuXOWlQSFseP0zipIEJXi5s/Z++3n+Jzw0yZUAoAmqU6r+yZkIWIQf209jicn 5EevBJPh+JG2KHh4am8uoObN3FTwtIasWJxX9gkU3/F3tQagBM9HmZLyYgvEdvTZ G0LjEQqXZeN3uzISRPZ0rNmMsEJQg6Y5HIF7mr8S7BcExXApGecoCRdVBq0HCB1F yJyPQiBMGsXX6eyAFhaHi9AZt/pxOa7ZbtM+q4AWej5FR1nWvWIbdjhi98tbCCTW EWjrrvrkADWq/2Hr0U/ky7sP+BYSl8Foqpzfh7isrjOiP65R9fpJ1VzU8jdeJ3vk K32D/SVeAs3uq5FJvFuhWbrpQ2+bDk0lFd6LwQGzOXa67QJtOvvn9Ulxy0U786b5 RjVC6G2HLTndWkLlYkcpMff7+m7UxNZXqmq8adNwUeMbEWfxmGkFN/1bBcBThr8J 0Yxpmw1yfMqcdf6/bAxdLaCbndZr+0rGWvaBwAzRZTP57ry29wQ=
    =n5+i
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-announce@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-announce
    To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)