[aklug] KRACK attack on WiFi at the protocol level (*all* clients affected)

Christopher Howard christopher at alaskasi.com
Mon Oct 16 09:07:32 AKDT 2017 

On think I am trying to get clear on is if it is enough, to protect a
client/ap interaction, to have just the client patched, or if both the
client and ap must be patched. It kind of sounded like (from the krack
web page) that it could be just one or the other, but it wasn't clear
to me.

I was able to patch my librecmc router this morning, and run updates on
my Debian clients, so I'm feeling pretty good at home. But more
concerning is the dd-wrt and linksys (proprietary) systems in my
workplace - getting patched firmware builds is proving more
challenging. So am wondering if it is good enough at present to just
run updates on all the clients, or if I should be sending out
frightening emails around the office about our wifi infrastructure
being insecure.

On Mon, 2017-10-16 at 07:39 -0800, Royce Williams wrote:
> Good question. That is my current (limited) understanding, yes.
> 
> On Mon, Oct 16, 2017 at 7:37 AM, Christopher Howard
> <christopher at alaskasi.com> wrote:
> > Does the server/router side stuff needs to be patched as well? I
> > saw a
> > hostapd security patch in master branch of the librecmc git repo
> > this
> > morning, so I patched my router. But am wondering about all the dd-
> > wrt/open-wrt routers out there that perhaps never get security
> > updates...
> > 
> > On Mon, 2017-10-16 at 06:23 -0800, Royce Williams wrote:
> > > Flaw with the protocol itself - so *anything* speaking Wi-Fi will
> > > need
> > > to be patched, including the long tail of legacy, EOL, and cheap
> > > IoT
> > > gear that will likely never be patched. Assume all Wi-Fi networks
> > > are
> > > observable until then (core mitigations is to use a VPN). Long
> > > term,
> > > recommend adding to RFPs for any gear (not just wireless) to
> > > ensure
> > > updates for X period of time.
> > > 
> > > Main announcement:
> > >     https://www.krackattacks.com/
> > > 
> > > Paper with background:
> > >     https://papers.mathyvanhoef.com/ccs2017.pdf
> > > 
> > > I will assemble what I know here:
> > >     http://www.techsolvency.com/story-so-far/krackattack/
> > > 
> > > Other good meta-threads and summaries, keep an eye on these:
> > >     https://github.com/kristate/krackinfo
> > >     https://www.reddit.com/r/sysadmin/comments/76lj5q/this_is_a_c
> > > ore_
> > > protocollevel_flaw_in_wpa2_wifi/
> > > 
> > > 
> > > Per-vendor stuff:
> > > 
> > > Aruba:
> > >     http://community.arubanetworks.com/t5/Wireless-Access/Core-le
> > > vel-
> > > protocol-flaw-in-WPA2/td-p/310038
> > >     http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_
> > > FAQ_
> > > Rev-1.pdfhttp://www.arubanetworks.com/support-services/security-
> > > bulletins/
> > > 
> > > wpa_supplicant:
> > >     https://w1.fi/cgit/hostap/commit/
> > > 
> > > 
> > > News:
> > > 
> > > https://arstechnica.com/information-technology/2017/10/severe-fla
> > > w-in
> > > -wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
> > > https://www.alexhudson.com/2017/10/15/wpa2-broken-krack-now/
> > > 
> > > 
> > > CVEs:
> > > 
> > > CWE-323
> > > CVE-2017-13077
> > > CVE-2017-13078
> > > CVE-2017-13079
> > > CVE-2017-13080
> > > CVE-2017-13081
> > > CVE-2017-13082
> > > CVE-2017-13083
> > > CVE-2017-13084
> > > CVE-2017-13085
> > > CVE-2017-13086
> > > CVE-2017-13087
> > > 
> > > Royce
> > > _______________________________________________
> > > aklug mailing list
> > > aklug at aklug.org
> > > https://lists.aklug.org/mailman/listinfo/aklug
> > 
> > --
> > Christopher Howard
> > Enterprise Solutions Manager
> > Alaska Satellite Internet
> > 3239 La Ree Way
> > Fairbanks, Alaska 99709
> > 1-888-396-5623
> > https://alaskasatelliteinternet.com
> > personal web site: https://qlfiles.net
> > https://emailselfdefense.fsf.org/en/
> > 
> > 
-- 
Christopher Howard
Enterprise Solutions Manager
Alaska Satellite Internet
3239 La Ree Way
Fairbanks, Alaska 99709
1-888-396-5623
https://alaskasatelliteinternet.com
personal web site: https://qlfiles.net
https://emailselfdefense.fsf.org/en/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.aklug.org/pipermail/aklug/attachments/20171016/57100f5b/attachment.asc>

More information about the aklug mailing list