Slashdot Mirror

← Back to Stories (view on slashdot.org)

Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now (zdnet.com)

Posted by BeauHD on from the here-and-now dept.

An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks.

Arris: a spokesperson said the company is "committed to the security of our devices and safeguarding the millions of subscribers who use them," and is "evaluating" its portfolio. The company did not say when it will release any patches.

Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.

AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."

Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," the spokesperson said.

In other words, some patches are available, but others are pending the investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.

Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Google: Google told sister-site CNET that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."

HostAP: The Linux driver provider has issued several patches in response to the disclosure.

Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.

Netgear: Netgear has released fixes for some router hardware. The full list can be found here.

Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.

MikroTik: The vendor has already released patches that fix the vulnerabilities.

OpenBSD: Patches are now available.

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.

Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members.

Wi-Fi Standard: A fix is available for vendors but not directly for end users.

17 of 140 comments (clear)

  1. Re:Better list by olsmeister · · Score: 5, Informative

    here.

  2. Open BSD Linux ... WTF by Zero__Kelvin · · Score: 2

    I love how the section on Linux patch availability talks about one of the BSDs. Always good to hear about your mission critical patches from people who don't know the difference.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    1. Re:Open BSD Linux ... WTF by iggymanz · · Score: 2

      well I do love how OpenBSD already fixed this months ago

    2. Re:Open BSD Linux ... WTF by Anonymous Coward · · Score: 5, Informative

      well I do love how OpenBSD already fixed this months ago

      The discoverer of the vulnerability states on his website that openbsd (Theo Radt) broke the embargo in July. Not much to love with that, since it reduced the security of everybody else. You will notice that most everybody else (Google seems to have been asleep), had patches ready _today_. This was when the embargo was lifted.

      Going to the discoverer's site ( https://www.krackattacks.com/ ) last night got you a page that said, "just a test that domain name and webserver are working." Unlike Theo, he was honoring the embargo-- this morning, he posted info about the exploit on that website.

    3. Re:Open BSD Linux ... WTF by CrAlt · · Score: 2

      Not much to love with that, since it reduced the security of everybody else.

      Why should Theo wait around for everyone else and leave his users vulnerable? An embargo for a few business days after notifying sure. But for MONTHS?

      Does anyone really think this flaw didn't leak out to the bad guys from one of the vendors the second they where notified?

      --
      I have to return some videotapes...
    4. Re:Open BSD Linux ... WTF by swillden · · Score: 2

      If OpenBSD doesn't honor embargoes,

      "Hey I found a flaw in your OS. I am also telling shittons of other people about it. Please respect my embargo and not fix it for 6 months. ok thanks"

      Yep.

      The alternative is "Hey I found a flaw in your OS six months ago and told shittons of other people about it. I'm publishing it tomorrow. I didn't tell you earlier because you don't honor embargoes."

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:Open BSD Linux ... WTF by jofas · · Score: 2

      The _real_ point of an embargo is to allow those businesses participating in the embargo to save face. The embargo does not serve the user. Theo could have specifed that his patch was simply good practice, which is true. He did not advertise the reason for the patch either.
      Besides, patching one system does not magically make the others vulnerable. They were already vulnerable.
      On all counts, your argument has no leg to stand on, and yet we continue to allow this horseshit that vendors release vuln information like it's a fucking media event with previews and trailers.

      Stop encouraging the koolaid-drinking.

  3. You only need to patch the CLIENT by Anonymous Coward · · Score: 4, Interesting

    Just to be clear, you probably only need to patch the client devices, not the wireless access points. In particular, https://www.krackattacks.com says the following:

    Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. ... For ordinary home users, your priority should be updating clients such as laptops and smartphones.

    1. Re:You only need to patch the CLIENT by billrp · · Score: 2, Informative

      Or patch the router to protect those clients that have not yet been patch.

    2. Re:You only need to patch the CLIENT by Anonymous Coward · · Score: 2, Informative

      NO! Read what you responded to (and the link): the exploit does not target access points, only clients. Patching the access point doesn't do anything unless the AP itself is a client to another AP. An unpatched client on a patched AP is still 100% vulnerable.

      Patch your clients!

  4. What about DD-WRT, Tomato and the others by williamyf · · Score: 2

    Yup, what about them?

    Well, in a reasonably quality article (on windows central), linked from the Crappy article linked on the front page of Slashdot (as ussual), they had the info for DD-WRT and LEDE (OpenWRT). It turns out that the Source has been modified already, but no firmware images produced yet.

    Now, is just wait and see.

    Here is the more decent article:
    https://www.windowscentral.com...

    --
    *** Suerte a todos y Feliz dia!
    1. Re:What about DD-WRT, Tomato and the others by fisted · · Score: 3, Informative

      From your link:

      Official OpenWrt support for the WRT AC Series began under Chaos Calmer, with the LEDE Branch being the recommended Branch for the WRT AC Series

      OpenWrt has not been actively maintained for the better part of a year and is no longer recommended for utilization.
      Last major commits for OpenWrt were close to a year ago, and as such, LEDE is recommended for utilization.

      --
      CLI paste? paste.pr0.tips!
  5. how many products will be obsoleted by this? by Anonymous Coward · · Score: 4, Insightful

    due to manufacturers and vendors choosing NOT to fix this for whatever reason (they simply don't care, not cost effective, not enough users to justify the effort, product no longer sold, product too old, product is EOL, etc, etc)....

    vista and older are fucked, routers and access points older than about 3 years are fucked, wireless gear from lesser known companies are fucked, tablets from major vendors more than 3 years old are fucked, tablets from unknown vendors are fucked, phones that aren't current models are fucked.. there's a lot of gear that is going to be junk.. a LOT.

    1. Re:how many products will be obsoleted by this? by tlhIngan · · Score: 3, Informative

      due to manufacturers and vendors choosing NOT to fix this for whatever reason (they simply don't care, not cost effective, not enough users to justify the effort, product no longer sold, product too old, product is EOL, etc, etc)....

      In an ideal world, you'd patch both the client AND the AP. Doing so eliminates all the vulnerabilities.

      But even if you can't, updating the AP already eliminates a whole class of vulnerabilities. Updating the client by itself, the same.

      So the best results are had by updating everything. But even if you can't, updating the AP alone can help a lot.

      So update what you can, and the older stuff, well, it was already vulnerable anyways from other flaws so I wouldn't worry too much about this.

      My only question is where the UBNT stuff is... firmware 3.9 is supposed to fix it, but all I see for the Unifi stuff is 3.8.

  6. Can unpatched clients be blocked? by m0gely · · Score: 2

    On the krack attacks site, teh question is asked: "Do we now need WPA3?", and answered: "No". Yet the last sentence in that paragraph is: "Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks"! So my question is, how do we block unpatched clients from our wireless networks? It seems as if I was a bad guy, I would keep an unpatched device handy to do bad deeds and there's nothing anyone can do to stop me?

    1. Re:Can unpatched clients be blocked? by Zontar+The+Mindless · · Score: 2

      Obviously we need to migrate directly to WPA10. Or WPAX. Or WPA52.4.0. Or... What were we talking about, again, please?

      --
      Il n'y a pas de Planet B.
  7. Does it even matter any more? by KlomDark · · Score: 2

    With Windows 10 and other OSs saving WiFi passwords to the cloud and sharing with who knows, WiFi security has taken a dump anyway.

    Is there any way from the WiFi router to tell these OS incarnations "No, you do NOT have permissions to save these passwords!"?