On 19/10/2017 21:42, Celejar wrote
[...]
like the printer. Henrique recently noted that there is a setting
available on new OpenWRT and LEDE builds that can help, but it's
apparently not yet included in any release yet:
https://lists.debian.org/debian-user/2017/10/msg00593.html
Celejar
I sent that a day ago, but for some reason it didn't make it to the list:
Hi,
17.01.4 just released [2] with fixed wpa and possibility to activate an AP side
workaround. It is just a mitigation really, but should in practice impair an
exploit. It is OFF by default.
Quote:
"an optional AP-side
workaround was introduced in hostapd to complicate these attacks,
slowing them down. Please note that this does not fully protect you from
them, especially when running older versions of wpa_supplicant
vulnerable to CVE-2017-13086, which the workaround does not address. As
this workaround can cause interoperability issues and reduced robustness
of key negotiation, this workaround is disabled by default."
Option in hostapd.sh [1] is:
wpa_disable_eapol_key_retries
[1]
https://git.lede-project.org/?p=source.git;a=commitdiff;h=d501786ff25684208d22b7c93ce60c194327c771
[2] https://downloads.lede-project.org/releases/17.01.4/targets/
So it is part of Latest LEDE release, but I am not aware of other distro
using this workaround. It comes with a few potential problems, so must
be thoroughly tested before being deployed, and it likely breaks
standards which is never good.