A man-in-the-middle vulnerability has been found in OpenBSD's wireless stack.
A malicious access point can trick an OpenBSD client using WPA1 or WPA2 into connecting to this malicious AP instead of the desired AP. When this attack is used successfully the OpenBSD client will send and accept unencrypted frames.
This problem only affects OpenBSD clients. OpenBSD access points are unaffected.
Thanks to Mathy Vanhoef <
Mathy.Vanhoef@cs.kuleuven.be> for finding and reporting the issue, providing a demo exploit and an initial patch, and
working through several iterations of the patch together with me.
The problem has been fixed in -current. For 5.9 and 6.0 the following errata patches are available.
https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/018_net80211.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/035_net80211.patch.sig
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)