Slashdot Mirror
Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now (zdnet.com)
An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks.
Arris: a spokesperson said the company is "committed to the security of our devices and safeguarding the millions of subscribers who use them," and is "evaluating" its portfolio. The company did not say when it will release any patches.
Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.
AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."
Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."
"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.
"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," the spokesperson said.
In other words, some patches are available, but others are pending the investigation.
Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.
Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.
FreeBSD Project: There is no official response at the time of writing.
Google: Google told sister-site CNET that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."
HostAP: The Linux driver provider has issued several patches in response to the disclosure.
Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.
Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.
Netgear: Netgear has released fixes for some router hardware. The full list can be found here.
Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.
MikroTik: The vendor has already released patches that fix the vulnerabilities.
OpenBSD: Patches are now available.
Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.
Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members.
Wi-Fi Standard: A fix is available for vendors but not directly for end users.
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks.
Arris: a spokesperson said the company is "committed to the security of our devices and safeguarding the millions of subscribers who use them," and is "evaluating" its portfolio. The company did not say when it will release any patches.
Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.
AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."
Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."
"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.
"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," the spokesperson said.
In other words, some patches are available, but others are pending the investigation.
Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.
Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.
FreeBSD Project: There is no official response at the time of writing.
Google: Google told sister-site CNET that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."
HostAP: The Linux driver provider has issued several patches in response to the disclosure.
Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.
Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.
Netgear: Netgear has released fixes for some router hardware. The full list can be found here.
Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.
MikroTik: The vendor has already released patches that fix the vulnerabilities.
OpenBSD: Patches are now available.
Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.
Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members.
Wi-Fi Standard: A fix is available for vendors but not directly for end users.
I just updated the WiFi exploit and Adobe flash for it. They have my back covered.
There's a more complete list on Bleeping Computer. Too lazy to share the link. Saw it earlier today
I love how the section on Linux patch availability talks about one of the BSDs. Always good to hear about your mission critical patches from people who don't know the difference.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July
Makes mental note to never even look up what 'Charged' is.
Just to be clear, you probably only need to patch the client devices, not the wireless access points. In particular, https://www.krackattacks.com says the following:
So when is Apple going to patch their router hardware?
Tim Cook may have forgotten that Apple sells wifi APs, but I haven't.
My labor belongs to nobody but me.
Yup, what about them?
Well, in a reasonably quality article (on windows central), linked from the Crappy article linked on the front page of Slashdot (as ussual), they had the info for DD-WRT and LEDE (OpenWRT). It turns out that the Source has been modified already, but no firmware images produced yet.
Now, is just wait and see.
Here is the more decent article:
https://www.windowscentral.com...
*** Suerte a todos y Feliz dia!
One information I did not find is the status when the WPA supplicant is vulnerable and the AP is fixed. Is attack possible in that setup?
Also, WPA enterprise often use EAP/TTLS for authentication. KRACK seems unable to compromise what happens inside the TLS tunnel. Is that the case?
See subject: I don't USE that shit here @ home - wireless is for those who are NOT security-conscious or just ignorant of its track-record (like encryption is) - sooner or later, it's permeable, period.
* Am I bullshitting anyone here?
APK
P.S.=> I trust CABLES (shielded if/when possible) over 'wireless' by far (besides, copper's a FAR better conduit for signal than aerial beaming (wireless drops packets like mad vs. hardwired)- especially on TCP/IP protocols (TCP part demands 2-way handshakes, UDP doesn't) & TCP is in use - think about all this & decide for yourself (I did - & I don't need laptops/tablets etc. in every room so why use something KNOWN to be 'shaky' & on BOTH security + reliability of signal concerns for? So it made no sense to me @ all using it)... apk
Their website has a Google Maps link and they're located just south of Longdong Ave in Shanghai. Why aren't Americans more willing to memorialize porn stars with street names?
...we will be patching any* affected devices in the coming weeks
*For values of 'any' which do not include devices arbitrarily EOL'd by Google's bean-counting department.
cocaine.
due to manufacturers and vendors choosing NOT to fix this for whatever reason (they simply don't care, not cost effective, not enough users to justify the effort, product no longer sold, product too old, product is EOL, etc, etc)....
vista and older are fucked, routers and access points older than about 3 years are fucked, wireless gear from lesser known companies are fucked, tablets from major vendors more than 3 years old are fucked, tablets from unknown vendors are fucked, phones that aren't current models are fucked.. there's a lot of gear that is going to be junk.. a LOT.
Stop naming exploits! KRACK is idiotic. I wish heartbleed and shellshock had not been as nameable and chic.
OMG facts!
I just switched to WEP, as it's not impacted. Much safer.
Your labor is presumably your own, but if you make any sort of profitable exchange with it, then that would be enabled by...wait for it...other people. In order to trade, you need things like stable ownership, which means that we agree not to take your stuff when you walk away from it. In exchange for enforcing your property rights, we tax your income (not your labor). Keep going though, I've got a Fallacy Bingo card I want to fill up.
On the krack attacks site, teh question is asked: "Do we now need WPA3?", and answered: "No". Yet the last sentence in that paragraph is: "Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks"! So my question is, how do we block unpatched clients from our wireless networks? It seems as if I was a bad guy, I would keep an unpatched device handy to do bad deeds and there's nothing anyone can do to stop me?
American workers already work harder, longer, and for less in return than the workers of any other developed nation. Wealthy Americans and US corporations already pay less in taxes than wealthy individuals or corporations do in any other developed nation.
So you're actually promising us more--HEAPS more--of the same.
No, really.
Do I need to patch my Windows PC, my router, both, or exactly one of the two but it's not important which.
...arrived October 16th at 22:44 UTC:
https://lists.freebsd.org/pipermail/freebsd-announce/2017-October/001805.html
Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.
+5 Funny !
From the article:
Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Ubiquiti firmware is still not available in the Unifi Control Panel. You have to install the Beta in order to push F/W to APs unless you want to do it manually, and who wants to install a Beta on a production system?
It's a constant stream of crap from those guys... they pat themselves on the back for an incomplete job not well done at all.
I've more than DOUBLED these upmods since I posted this years ago vs. KGIII proving him wrong https://it.slashdot.org/comments.pl?sid=3417867&cid=42749095/
* EAT YOUR WORDS...
(That link hits YOUR "disconnect button" troll & SHUTS YOU DOWN, easily...)
APK
P.S.=> YOURS is the price of being an UNIDENTIFIABLE anonymous trolling off-topic "ne'er-do-well" in yourself, lol... apk
See subject: I don't get problems in security like this OR performance issues of packet drop etc. WiFi gives - how is it bs?
APK
P.S.=> It's PURE FACT & you probably left the router's default password @ factory settings (easily found online & once someone has your IP address? They can do what was done to you (part of the reason I post here & elsewhere online via proxies - to avoid attacks by site webmasters etc. - as soon there will be a "hack back" law (NOT that I 'hack' doing proxies either, I just them to avoid tracking + to override posting limits)) YES - it's REALLY a bill (or being suggested as one for passing into law) in congress right now in fact... apk
WRONG: My home has 14 rooms total so EAT YOUR WORDS unidentifiable off-topic "ne'er-do-well" troll!
* Unbelievable - doesn't "your kind" have anything BETTER to do?
(Apparently not!)
APK
P.S.=> Try doing something like this as I can easily show to my credit of /.ers liking & using my work complimenting it instead (it's a better way to use YOUR WASTED TIME but then again? I expect too much from "your kind", lol) https://news.slashdot.org/comments.pl?sid=11236647&cid=55377085/ ... apk
With Windows 10 and other OSs saving WiFi passwords to the cloud and sharing with who knows, WiFi security has taken a dump anyway.
Is there any way from the WiFi router to tell these OS incarnations "No, you do NOT have permissions to save these passwords!"?
Use a weak transmitter at various points at your home. Like the old blue tooth. End of problem.
maybe stay away from that women's studies degree next time.
"While Windows machines are generally considered safe..."
I've never read those words in almost 20 years of coming here.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
Already published: https://www.freebsd.org/securi...
-- mg
See subject & this (it works vs. Intel AMT/IME) https://mobile.slashdot.org/comments.pl?sid=11242973&cid=55385281/
* Enjoy!
(No need to unsolder a damn thing - you just cut it's software update interface off (vs. it being changed by update so THIS part works ->) & then disallow communication via port filtering.
APK
P.S.=> Common-sense - control Intel IME/AMT from OUTSIDE your motherboard easily using a port filtering router/modem... apk
Ess Pee Aitch
Max from "Cube 2 - the HyperCub": "... Did she say 'Alex Trusk'? Oh Christ, we're dead..." Gov't. undercover agent 'mata hari' type: SEE SUBJECT Max again: "Alex Trusk? Hacker Extraordinaire?? He's a legend..."
z* You WISH you were me unidentifiable anonymous off-topic puny TROLL... lol!
APK
P.S.=> "Alex Trusk doesn't exist" - but I? Do (more than exist - I constantly excel)... apk
I've been using a technique very similar to this for years. The use of a zero key is pretty slick though. WPA/2 have been flawed from the start. IMHO a proper radius WEP setup is still the hardest to crack.
SPH is a short form mnemonic of the advice we have been advocating for apk for some time now. He himself is now conditioned enough that even mentioning "three letters" triggers his internal monologue to silently mouth "Seek Professional Help". It's unfortunate that he is only able to act sporadically in seeking treatment for his mental health condition.
Slashdotters can help apk by reminding him of the three letters at every suitable opportunity. Moderators - don't moderate apk down, it just feeds his complex; instead, mod up the SPH responses. Apk will thank you for this charitable intervention.
The paper leaked in July. You have no way to control all the devs and all the hardware vendors around the world. One of them will end up leaking or selling the info sooner or later.
https://www.theregister.co.uk/...
Mathy Vanhoef and Frank Piessens of KU Leuven, the security researchers who discovered the flaw, alerted vendors in advance of going public on Monday. It appears developers and manufacturers got their first warning in July, around the time this unsigned paper [PDF] going over some of the KRACK techniques quietly emerged online.
So months go by with vendors sitting on a patch and there are still larger vendors(Apple?!?) with no patch released yet.
Notify, wait a week, then go public and let the chips fall where they may.
I was modded up in case you didn't notice, stupid troll. Don't you have anything better to do than be an off topic unidentifiable idiot who projects his OWN mental issues onto me giving away the fact you're mentally 'touched in the head' yourself?
APK
P.S.=> Seriously... apk
Uh, 1st, see subject (I never called you a monkey & was trying to HELP you). We had a guy here posting all about it for years in a HUGE post (with all sorts of really TOUGH things to try do to stop AMT/IME - I mean it. Methods that are a LOT more difficult than my blocking of it is, that's for sure). I actually read it & thought of what I put out to try help you here with & yes, it works (doesn't "kill" it but it does the next best thing, essentially paralyzing it by stopping AMT/IME's ability to communicate back & forth).
APK
P.S.=> Again, see subject - I never called you a monkey & really WAS trying to inform/help... apk
I didn't read your post, but casting my eyes over it, it looks like you only used allcaps on one word and no bolding whatsoever - what progress! Well done, you are doing well, keep going with the treatment, it seems to be working.
Then learn to read illiterate off-topic UNIDENTIFIABLE trolling worm: In case you hadn't noticed? I was upmodded for my post. +1 INFORMATIVE...
(Bet the just KILLS you, now doesn't it? Yes, obviously... lol!)
APK
P.S.=> Keep projecting you've got 'issues' but don't try project them onto ME... apk
Aw, and you used to claim you knew me
Apology accepted
Replying anonymously (often to yourself) 6 days later, STILL? You truly have issues.
* On this one I just said to myself "Let's see what the unidentifiable LOON does if I don't pay him any attention" & sat back watching... amazing - you're obsessively FIXATED on me STILL almost a week later trying to "get my attention" like some petulant child would!
You should seek professional help (I suspect you already have postcard man... in fact, I KNOW you have).
APK
P.S.=> Unbelievable, lol... apk
Just for you. Speaks my mind https://www.youtube.com/watch?...
APK