Re: cve-2017-13077 - WPA2 security vulni
In message , Franco Fichtne r writes: > > > > On 17. Oct 2017, at 12:32 AM, Cy Schubert wrote: > > > > I'll test it when I get home tonight. The WiFi here at the tech park is ope > n so, I couldn't test here. > > Tested: > > hostapd 2.6_1 > wpa_supplicant2.6_2 > > No apparent issues with the ports, preliminary connectivity > checks work as expected. Started a public CFT over at OPNsense > to gather more feedback. Agreed. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
> On 17. Oct 2017, at 12:32 AM, Cy Schubert wrote: > > I'll test it when I get home tonight. The WiFi here at the tech park is open > so, I couldn't test here. Tested: hostapd 2.6_1 wpa_supplicant 2.6_2 No apparent issues with the ports, preliminary connectivity checks work as expected. Started a public CFT over at OPNsense to gather more feedback. Cheers, Franco ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Is there an RTC prejudice?
While I haven't [yet] experienced this problem. A bug[1] just came in on the amd64 list that is over a *year old*, and there are several individuals involved. As well as several [freebsd] versions. So I thought I'd raise the issue here. In case someone(tm) thinks they know what's wrong/ what to do. 1: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207677 --Chris ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: pfind_locked(pid) fails when in a jail?
[stuff snipped] > > > > > pfind* does not do any filtering. > > Hmm, well I have no idea why the jailed mounts get looping in here then. > > The real question though is why are you calling it in the first place. The > > calls > > I grepped in nfscl_procdoesntexist are highly suspicious - there is no > > guarantee > > the process you found here is the same you had at the time you were saving > > the pid. > > Long long ago (about 2002) this code was written for OpenBSD2.6. I added a call from the kernel exit() code to do this. When I ported it to FreeBSD around 2005, I didn't find any way for a process exit notification to be done, so I created the first version of this code. (This way of doing it was first coded for Mac OS X 10.3, if I recall correctly.) Since it does check that the time of process creation is the same, it doesn't seem likely that it would find a different process (ie. two processes with the same pid that were created at the same time within the clock resolution of that creation time seems highly unlikely in practice?). > > There is no usable process exit notification right now, but it can be added > > if necessary. > > If there was a way for the NFS client to register to get a notification that a given process is terminating (exit'ng), that could certainly be used instead of this code. I wouldn't want a call for every exit(), but only the ones that have NFSv4 opens. >> >> Does that mean there is something wrong with the existing eventhandler >> notifications related to proc fork/exec/exit? >> > >I already noted in the other mail that the current mechanism has >avoidable global locking, lists traversals etc. But even with these >issues fixed it calls everything for everyone. > >What's needed is a mechanism to register per-process callbacks. Details >can be flamed over (e.g. should it require allocating a buffer per >process or perhaps just one and then point to it from a resizable >per-proc table when registered), but calling something which has nothing >to do in almost all cases and from in a super inefficient way at that is >definitely something we need to start cleaning up. Yes, I would agree, although it doesn't explain what this CPU hog case is caused by. Thanks for the comments and if you create/commit the above, let me know and I'll change the NFS client code to use it (if your patch doesn't do that). rick ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: pfind_locked(pid) fails when in a jail?
On Tue, 2017-10-17 at 00:38 +0200, Mateusz Guzik wrote: > On Tue, Oct 17, 2017 at 12:24 AM, Rick Macklem wrote: > > > > > Hi, > > > > A problem w.r.t. the NFSv4 client's renew thread (nfscl) running up a lot > > of CPU > > when the NFSv4 mount is in a jail has been reported to the freebsd-stable@ > > mailing list. > > > > I know nothing about jails, but when looking at the code, the most obvious > > cause of this would be "pfind_locked(pid)" failing to find a process. > > - Will a jail affect how pfind_locked() behaves? > > - If the answer is "yes", then I need to know how to either... > > 1 - Make pfind_locked() work the same as when no jail exists. > > OR > > 2 - A way for the Renew thread can determine that a jail will affect > > pfind_locked() > > behaviour, so it can avoid this problem. > > #1 is preferred, since #2 may not be 100% correct, although #2 would allow > > the > > code to behave well for most cases. (The exception is a case where a file > > remains > > open for a long period of time, with different processes doing byte range > > locks on > > the file.) > > > pfind* does not do any filtering. > > The real question though is why are you calling it in the first place. The > calls > I grepped in nfscl_procdoesntexist are highly suspicious - there is no > guarantee > the process you found here is the same you had at the time you were saving > the pid. > > There is no usable process exit notification right now, but it can be added > if necessary. > Does that mean there is something wrong with the existing eventhandler notifications related to proc fork/exec/exit? -- Ian ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: pfind_locked(pid) fails when in a jail?
On Tue, Oct 17, 2017 at 12:24 AM, Rick Macklem wrote: > Hi, > > A problem w.r.t. the NFSv4 client's renew thread (nfscl) running up a lot > of CPU > when the NFSv4 mount is in a jail has been reported to the freebsd-stable@ > mailing list. > > I know nothing about jails, but when looking at the code, the most obvious > cause of this would be "pfind_locked(pid)" failing to find a process. > - Will a jail affect how pfind_locked() behaves? > - If the answer is "yes", then I need to know how to either... >1 - Make pfind_locked() work the same as when no jail exists. >OR >2 - A way for the Renew thread can determine that a jail will affect > pfind_locked() > behaviour, so it can avoid this problem. > #1 is preferred, since #2 may not be 100% correct, although #2 would allow > the > code to behave well for most cases. (The exception is a case where a file > remains > open for a long period of time, with different processes doing byte range > locks on > the file.) > pfind* does not do any filtering. The real question though is why are you calling it in the first place. The calls I grepped in nfscl_procdoesntexist are highly suspicious - there is no guarantee the process you found here is the same you had at the time you were saving the pid. There is no usable process exit notification right now, but it can be added if necessary. -- Mateusz Guzik ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
RE: cve-2017-13077 - WPA2 security vulni
I'll test it when I get home tonight. The WiFi here at the tech park is open so, I couldn't test here. --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. Cy Schubert or -Original Message- From: Franco Fichtner Sent: 16/10/2017 13:34 To: Cy Schubert Cc: Rodney W. Grimes; Kevin Oberman; Adrian Chadd; Lev Serebryakov; blubee blubeeme; Poul-Henning Kamp; FreeBSD current Subject: Re: cve-2017-13077 - WPA2 security vulni > On 16. Oct 2017, at 10:19 PM, Cy Schubert wrote: > > It doesn't, which is why I patched the port at lunch today. It's a quick win > with the time I had. Thank you, much appreciated. Will give it some testing. > I think we should update base to 2.6 and apply the patches. Sounds like a plan when the port gives no apparent issues. Cheers, Franco ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
pfind_locked(pid) fails when in a jail?
Hi, A problem w.r.t. the NFSv4 client's renew thread (nfscl) running up a lot of CPU when the NFSv4 mount is in a jail has been reported to the freebsd-stable@ mailing list. I know nothing about jails, but when looking at the code, the most obvious cause of this would be "pfind_locked(pid)" failing to find a process. - Will a jail affect how pfind_locked() behaves? - If the answer is "yes", then I need to know how to either... 1 - Make pfind_locked() work the same as when no jail exists. OR 2 - A way for the Renew thread can determine that a jail will affect pfind_locked() behaviour, so it can avoid this problem. #1 is preferred, since #2 may not be 100% correct, although #2 would allow the code to behave well for most cases. (The exception is a case where a file remains open for a long period of time, with different processes doing byte range locks on the file.) Thanks in advance for any help w.r.t. jail behaviour, rick ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
> On 16. Oct 2017, at 10:19 PM, Cy Schubert wrote: > > It doesn't, which is why I patched the port at lunch today. It's a quick win > with the time I had. Thank you, much appreciated. Will give it some testing. > I think we should update base to 2.6 and apply the patches. Sounds like a plan when the port gives no apparent issues. Cheers, Franco ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
RE: cve-2017-13077 - WPA2 security vulni
It doesn't, which is why I patched the port at lunch today. It's a quick win with the time I had. I think we should update base to 2.6 and apply the patches. --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. Cy Schubert or -Original Message- From: Franco Fichtner Sent: 16/10/2017 11:57 To: Cy Schubert Cc: Rodney W. Grimes; Kevin Oberman; Adrian Chadd; Lev Serebryakov; blubee blubeeme; Poul-Henning Kamp; FreeBSD current Subject: Re: cve-2017-13077 - WPA2 security vulni > On 16. Oct 2017, at 8:50 PM, Cy Schubert wrote: > > Eight patches have been posted so, it should be easy to patch 2.5, MFC, and > bring head up to 2.6 later. This should avoid the risk of possible > regressions. Nope, does not apply easily. Refactoring changed contexts, function names and variable usage logic between 2.5 and 2.6. Cheers, Franco ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
I'll commit the wpa_supplicant port now but I don't have enough time this lunch hour to create a vuxml entry or to update the hostapd port. It may be simpler to update base to 2.6 to facilitate patching. What do people think? -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few. In message <201710161936.v9gjarlo072...@slippy.cwsent.com>, Cy Schubert writes: > Looking at the wpa_supplicant port, it may be a quicker win than base at > the moment. > > I don't have much of my lunch hour left to complete anything. > > > -- > Cheers, > Cy Schubert > FreeBSD UNIX: Web: http://www.FreeBSD.org > > The need of the many outweighs the greed of the few. > > > In message om> > , Oliver Pinter writes: > > Hi Adrian! > > > > How big effort is to update he in-tree wpa_supplicant/hostapd to the > > latest supported version? > > Is there any known regression / feature loss when do the upgrade? > > > > On 10/16/17, Adrian Chadd wrote: > > > Right, there are backported patches against 2.6, but we're running 2.5 > > > in contrib/ . > > > > > > This is all "I'm out of time right now", so if someone wants to do the > > > ports work and/or the contrib work with the patches for this vuln then > > > please do. I should be able to get to it in the next few days but I'm > > > busy with family and employment. > > > > > > > > > > > > -adrian > > > > > > > > > On 16 October 2017 at 10:19, Kevin Oberman wrote: > > >> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd > > >> wrote: > > >>> > > >>> hi, > > >>> > > >>> I got the patches a couple days ago. I've been busy with personal life > > >>> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If > > >>> someone beats me to it, great, otherwise I'll try to do it in the next > > >>> couple days. > > >>> > > >>> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update > > >>> everything to but so far nope. It should be easy enough to update the > > >>> port for now as it's at 2.6. > > >>> > > >>> > > >>> > > >>> -adrian > > >>> > > >>> > > >>> On 16 October 2017 at 06:04, Cy Schubert > > >>> wrote: > > >>> > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev > > >>> > Serebryakov > > >>> > writes: > > >>> >> On 16.10.2017 13:38, blubee blubeeme wrote: > > >>> >> > > >>> >> > well, that's a cluster if I ever seen one. > > >>> >> It is really cluster: CVE-2017-13077, CVE-2017-13078, > > >>> >> CVE-2017-13079, > > >>> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, > > >>> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. > > >>> > > > >>> > The gory details are here: > > >>> > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-m > es > > sages.txt > > >>> > > > >>> > The announcement is here: > > >>> > https://www.krackattacks.com/ > > >>> > > > >>> > > > >>> > -- > > >>> > Cheers, > > >>> > Cy Schubert > > >>> > FreeBSD UNIX: Web: http://www.FreeBSD.org > > >>> > > > >>> > The need of the many outweighs the greed of the few. > > >>> > > > >> > > >> > > >> While I do not encourage waiting, it is quite likely that the upstream > > >> patch > > >> wil show up very soon now that the vulnerability is public. > > >> > > >> It's also worth noting that fixing either end of the connection is all > > >> that > > >> is required, as I understand it. So getting an update for your AP is not > > >> required. That is very fortunate as the industry has a rather poor recor > d > > >> of > > >> getting out firmware updates for hardware more than a few months old. > > >> Also, > > >> it appears that Windows and iOS are not vulnerable due to flaws in their > > >> implementation of the WPA2 spec. (Of course, if you update your AP(s), > > >> you > > >> no longer need to worry about your end devices. > > >> -- > > >> Kevin Oberman, Part time kid herder and retired Network Engineer > > >> E-mail: rkober...@gmail.com > > >> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > > > ___ > > > freebsd-current@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-current > > > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org > " > > > > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd > wrote: > > > hi, > > > > I got the patches a couple days ago. I've been busy with personal life > > stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If > > someone beats me to it, great, otherwise I'll try to do it in the next > > couple days. > > > > I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update > > everything to but so far nope. It should be easy enough to update the > > port for now as it's at 2.6. > > > > > > > > -adrian > > > > > > On 16 October 2017 at 06:04, Cy Schubert wrote: > > > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev > > Serebryakov > > > writes: > > >> On 16.10.2017 13:38, blubee blubeeme wrote: > > >> > > >> > well, that's a cluster if I ever seen one. > > >> It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, > > >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, > > >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. > > > > > > The gory details are here: https://w1.fi/security/2017-1/ > > wpa-packet-number-reuse-with-replayed-messages.txt > > > > > > The announcement is here: > > > https://www.krackattacks.com/ > > > > > > > > > -- > > > Cheers, > > > Cy Schubert > > > FreeBSD UNIX: Web: http://www.FreeBSD.org > > > > > > The need of the many outweighs the greed of the few. > > > > > > > While I do not encourage waiting, it is quite likely that the upstream > patch wil show up very soon now that the vulnerability is public. > > It's also worth noting that fixing either end of the connection is all that > is required, as I understand it. So getting an update for your AP is not > required. That is very fortunate as the industry has a rather poor record > of getting out firmware updates for hardware more than a few months old. > Also, it appears that Windows and iOS are not vulnerable due to flaws in > their implementation of the WPA2 spec. (Of course, if you update your > AP(s), you no longer need to worry about your end devices. ^^ >From my reading of the attack it is the client side that must be fixed, you can not mitigate the client side bug by an update to the AP. > -- > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkober...@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > -- Rod Grimes rgri...@freebsd.org ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
Looking at the wpa_supplicant port, it may be a quicker win than base at the moment. I don't have much of my lunch hour left to complete anything. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few. In message , Oliver Pinter writes: > Hi Adrian! > > How big effort is to update he in-tree wpa_supplicant/hostapd to the > latest supported version? > Is there any known regression / feature loss when do the upgrade? > > On 10/16/17, Adrian Chadd wrote: > > Right, there are backported patches against 2.6, but we're running 2.5 > > in contrib/ . > > > > This is all "I'm out of time right now", so if someone wants to do the > > ports work and/or the contrib work with the patches for this vuln then > > please do. I should be able to get to it in the next few days but I'm > > busy with family and employment. > > > > > > > > -adrian > > > > > > On 16 October 2017 at 10:19, Kevin Oberman wrote: > >> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd > >> wrote: > >>> > >>> hi, > >>> > >>> I got the patches a couple days ago. I've been busy with personal life > >>> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If > >>> someone beats me to it, great, otherwise I'll try to do it in the next > >>> couple days. > >>> > >>> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update > >>> everything to but so far nope. It should be easy enough to update the > >>> port for now as it's at 2.6. > >>> > >>> > >>> > >>> -adrian > >>> > >>> > >>> On 16 October 2017 at 06:04, Cy Schubert > >>> wrote: > >>> > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev > >>> > Serebryakov > >>> > writes: > >>> >> On 16.10.2017 13:38, blubee blubeeme wrote: > >>> >> > >>> >> > well, that's a cluster if I ever seen one. > >>> >> It is really cluster: CVE-2017-13077, CVE-2017-13078, > >>> >> CVE-2017-13079, > >>> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, > >>> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. > >>> > > >>> > The gory details are here: > >>> > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-mes > sages.txt > >>> > > >>> > The announcement is here: > >>> > https://www.krackattacks.com/ > >>> > > >>> > > >>> > -- > >>> > Cheers, > >>> > Cy Schubert > >>> > FreeBSD UNIX: Web: http://www.FreeBSD.org > >>> > > >>> > The need of the many outweighs the greed of the few. > >>> > > >> > >> > >> While I do not encourage waiting, it is quite likely that the upstream > >> patch > >> wil show up very soon now that the vulnerability is public. > >> > >> It's also worth noting that fixing either end of the connection is all > >> that > >> is required, as I understand it. So getting an update for your AP is not > >> required. That is very fortunate as the industry has a rather poor record > >> of > >> getting out firmware updates for hardware more than a few months old. > >> Also, > >> it appears that Windows and iOS are not vulnerable due to flaws in their > >> implementation of the WPA2 spec. (Of course, if you update your AP(s), > >> you > >> no longer need to worry about your end devices. > >> -- > >> Kevin Oberman, Part time kid herder and retired Network Engineer > >> E-mail: rkober...@gmail.com > >> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > > ___ > > freebsd-current@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
> On 16. Oct 2017, at 8:50 PM, Cy Schubert wrote: > > Eight patches have been posted so, it should be easy to patch 2.5, MFC, and > bring head up to 2.6 later. This should avoid the risk of possible > regressions. Nope, does not apply easily. Refactoring changed contexts, function names and variable usage logic between 2.5 and 2.6. Cheers, Franco ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
RE: cve-2017-13077 - WPA2 security vulni
Eight patches have been posted so, it should be easy to patch 2.5, MFC, and bring head up to 2.6 later. This should avoid the risk of possible regressions. I haven't looked at the ports. --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. Cy Schubert or -Original Message- From: Rodney W. Grimes Sent: 16/10/2017 11:14 To: Kevin Oberman Cc: Adrian Chadd; Cy Schubert; Lev Serebryakov; blubee blubeeme; Poul-Henning Kamp; FreeBSD current Subject: Re: cve-2017-13077 - WPA2 security vulni > On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd > wrote: > > > hi, > > > > I got the patches a couple days ago. I've been busy with personal life > > stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If > > someone beats me to it, great, otherwise I'll try to do it in the next > > couple days. > > > > I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update > > everything to but so far nope. It should be easy enough to update the > > port for now as it's at 2.6. > > > > > > > > -adrian > > > > > > On 16 October 2017 at 06:04, Cy Schubert wrote: > > > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev > > Serebryakov > > > writes: > > >> On 16.10.2017 13:38, blubee blubeeme wrote: > > >> > > >> > well, that's a cluster if I ever seen one. > > >> It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, > > >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, > > >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. > > > > > > The gory details are here: https://w1.fi/security/2017-1/ > > wpa-packet-number-reuse-with-replayed-messages.txt > > > > > > The announcement is here: > > > https://www.krackattacks.com/ > > > > > > > > > -- > > > Cheers, > > > Cy Schubert > > > FreeBSD UNIX: Web: http://www.FreeBSD.org > > > > > > The need of the many outweighs the greed of the few. > > > > > > > While I do not encourage waiting, it is quite likely that the upstream > patch wil show up very soon now that the vulnerability is public. > > It's also worth noting that fixing either end of the connection is all that > is required, as I understand it. So getting an update for your AP is not > required. That is very fortunate as the industry has a rather poor record > of getting out firmware updates for hardware more than a few months old. > Also, it appears that Windows and iOS are not vulnerable due to flaws in > their implementation of the WPA2 spec. (Of course, if you update your > AP(s), you no longer need to worry about your end devices. ^^ >From my reading of the attack it is the client side that must be fixed, you can not mitigate the client side bug by an update to the AP. > -- > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkober...@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > -- Rod Grimes rgri...@freebsd.org ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
Hi Adrian! How big effort is to update he in-tree wpa_supplicant/hostapd to the latest supported version? Is there any known regression / feature loss when do the upgrade? On 10/16/17, Adrian Chadd wrote: > Right, there are backported patches against 2.6, but we're running 2.5 > in contrib/ . > > This is all "I'm out of time right now", so if someone wants to do the > ports work and/or the contrib work with the patches for this vuln then > please do. I should be able to get to it in the next few days but I'm > busy with family and employment. > > > > -adrian > > > On 16 October 2017 at 10:19, Kevin Oberman wrote: >> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd >> wrote: >>> >>> hi, >>> >>> I got the patches a couple days ago. I've been busy with personal life >>> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If >>> someone beats me to it, great, otherwise I'll try to do it in the next >>> couple days. >>> >>> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update >>> everything to but so far nope. It should be easy enough to update the >>> port for now as it's at 2.6. >>> >>> >>> >>> -adrian >>> >>> >>> On 16 October 2017 at 06:04, Cy Schubert >>> wrote: >>> > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev >>> > Serebryakov >>> > writes: >>> >> On 16.10.2017 13:38, blubee blubeeme wrote: >>> >> >>> >> > well, that's a cluster if I ever seen one. >>> >> It is really cluster: CVE-2017-13077, CVE-2017-13078, >>> >> CVE-2017-13079, >>> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, >>> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. >>> > >>> > The gory details are here: >>> > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt >>> > >>> > The announcement is here: >>> > https://www.krackattacks.com/ >>> > >>> > >>> > -- >>> > Cheers, >>> > Cy Schubert >>> > FreeBSD UNIX: Web: http://www.FreeBSD.org >>> > >>> > The need of the many outweighs the greed of the few. >>> > >> >> >> While I do not encourage waiting, it is quite likely that the upstream >> patch >> wil show up very soon now that the vulnerability is public. >> >> It's also worth noting that fixing either end of the connection is all >> that >> is required, as I understand it. So getting an update for your AP is not >> required. That is very fortunate as the industry has a rather poor record >> of >> getting out firmware updates for hardware more than a few months old. >> Also, >> it appears that Windows and iOS are not vulnerable due to flaws in their >> implementation of the WPA2 spec. (Of course, if you update your AP(s), >> you >> no longer need to worry about your end devices. >> -- >> Kevin Oberman, Part time kid herder and retired Network Engineer >> E-mail: rkober...@gmail.com >> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
Right, there are backported patches against 2.6, but we're running 2.5 in contrib/ . This is all "I'm out of time right now", so if someone wants to do the ports work and/or the contrib work with the patches for this vuln then please do. I should be able to get to it in the next few days but I'm busy with family and employment. -adrian On 16 October 2017 at 10:19, Kevin Oberman wrote: > On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd > wrote: >> >> hi, >> >> I got the patches a couple days ago. I've been busy with personal life >> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If >> someone beats me to it, great, otherwise I'll try to do it in the next >> couple days. >> >> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update >> everything to but so far nope. It should be easy enough to update the >> port for now as it's at 2.6. >> >> >> >> -adrian >> >> >> On 16 October 2017 at 06:04, Cy Schubert wrote: >> > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev >> > Serebryakov >> > writes: >> >> On 16.10.2017 13:38, blubee blubeeme wrote: >> >> >> >> > well, that's a cluster if I ever seen one. >> >> It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, >> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, >> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. >> > >> > The gory details are here: >> > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt >> > >> > The announcement is here: >> > https://www.krackattacks.com/ >> > >> > >> > -- >> > Cheers, >> > Cy Schubert >> > FreeBSD UNIX: Web: http://www.FreeBSD.org >> > >> > The need of the many outweighs the greed of the few. >> > > > > While I do not encourage waiting, it is quite likely that the upstream patch > wil show up very soon now that the vulnerability is public. > > It's also worth noting that fixing either end of the connection is all that > is required, as I understand it. So getting an update for your AP is not > required. That is very fortunate as the industry has a rather poor record of > getting out firmware updates for hardware more than a few months old. Also, > it appears that Windows and iOS are not vulnerable due to flaws in their > implementation of the WPA2 spec. (Of course, if you update your AP(s), you > no longer need to worry about your end devices. > -- > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkober...@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd wrote: > hi, > > I got the patches a couple days ago. I've been busy with personal life > stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If > someone beats me to it, great, otherwise I'll try to do it in the next > couple days. > > I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update > everything to but so far nope. It should be easy enough to update the > port for now as it's at 2.6. > > > > -adrian > > > On 16 October 2017 at 06:04, Cy Schubert wrote: > > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev > Serebryakov > > writes: > >> On 16.10.2017 13:38, blubee blubeeme wrote: > >> > >> > well, that's a cluster if I ever seen one. > >> It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, > >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, > >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. > > > > The gory details are here: https://w1.fi/security/2017-1/ > wpa-packet-number-reuse-with-replayed-messages.txt > > > > The announcement is here: > > https://www.krackattacks.com/ > > > > > > -- > > Cheers, > > Cy Schubert > > FreeBSD UNIX: Web: http://www.FreeBSD.org > > > > The need of the many outweighs the greed of the few. > > > While I do not encourage waiting, it is quite likely that the upstream patch wil show up very soon now that the vulnerability is public. It's also worth noting that fixing either end of the connection is all that is required, as I understand it. So getting an update for your AP is not required. That is very fortunate as the industry has a rather poor record of getting out firmware updates for hardware more than a few months old. Also, it appears that Windows and iOS are not vulnerable due to flaws in their implementation of the WPA2 spec. (Of course, if you update your AP(s), you no longer need to worry about your end devices. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkober...@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
hi, I got the patches a couple days ago. I've been busy with personal life stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If someone beats me to it, great, otherwise I'll try to do it in the next couple days. I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update everything to but so far nope. It should be easy enough to update the port for now as it's at 2.6. -adrian On 16 October 2017 at 06:04, Cy Schubert wrote: > In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev Serebryakov > writes: >> On 16.10.2017 13:38, blubee blubeeme wrote: >> >> > well, that's a cluster if I ever seen one. >> It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. > > The gory details are here: > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt > > The announcement is here: > https://www.krackattacks.com/ > > > -- > Cheers, > Cy Schubert > FreeBSD UNIX: Web: http://www.FreeBSD.org > > The need of the many outweighs the greed of the few. > > > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
In message <44161b4d-f834-a01d-6ddb-475f20876...@freebsd.org>, Lev Serebryakov writes: > On 16.10.2017 13:38, blubee blubeeme wrote: > > > well, that's a cluster if I ever seen one. > It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, > CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, > CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. The gory details are here: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt The announcement is here: https://www.krackattacks.com/ -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
In message <21896d6e-75be-3376-bc32-9d911227d...@freebsd.org>, Stefan Esser wri tes: > Am 16.10.17 um 12:38 schrieb blubee blubeeme: > > well, that's a cluster if I ever seen one. > > > > On Mon, Oct 16, 2017 at 6:35 PM, Poul-Henning Kamp > > wrote: > > > >> > >> In message >> gmail.com> > >> , blubee blubeeme writes: > >> > >>> Does anyone on FreeBSD know if it's affected by this? > >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077 > >> > >> It is, same as Linux, we use the same wpa_supplicant software > > The attached patch includes the official patch applied by the WPA > developers in https://w1.fi/cgit/hostap/commit/?id=a00e946 but > for our version of wpa_supplicant in /usr/src/contrib. > > Regards, STefan > Index: contrib/wpa/src/rsn_supp/wpa.c > === > --- contrib/wpa/src/rsn_supp/wpa.c(Revision 324638) > +++ contrib/wpa/src/rsn_supp/wpa.c(Arbeitskopie) > @@ -1534,6 +1534,14 @@ > sm->ptk_set = 1; > os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); > os_memset(&sm->tptk, 0, sizeof(sm->tptk)); > + /* > + * This assures the same TPTK in sm->tptk can never be > + * copied twice to sm->pkt as the new PTK. In > + * combination with the installed flag in the wpa_ptk > + * struct, this assures the same PTK is only installed > + * once. > + */ > + sm->renew_snonce = 1; > } > } > > We should also patch the wpa_supplicant and hostapd ports. Also rmove peerkey functionality: http://w1.fi/cgit/hostap/commit/?id=e760851176c77ae6de19821bb1d5bf3ae2cb5187 Looks like hostapd is also affected. Simple for us, not so simple if you've purchased a commodity wirless router. I doubt most of the vendors will do anything. There are over a dozen (excluding tests and debugging outputs, 16 by my count) commits our upstream have applied to hostapd and wpa_supplicant. Rather than commit a blob, we should a) mirror their commits which can be MFCed to stable and b) then update head and ports to the latest upstream. B could be MFCed at a later date. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
On 16.10.2017 13:38, blubee blubeeme wrote: > well, that's a cluster if I ever seen one. It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. -- // Lev Serebryakov ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
This is awesome, thanks! On Mon, Oct 16, 2017, 19:19 Stefan Esser wrote: > Am 16.10.17 um 12:38 schrieb blubee blubeeme: > > well, that's a cluster if I ever seen one. > > > > On Mon, Oct 16, 2017 at 6:35 PM, Poul-Henning Kamp > > wrote: > > > >> > >> In message >> gmail.com> > >> , blubee blubeeme writes: > >> > >>> Does anyone on FreeBSD know if it's affected by this? > >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077 > >> > >> It is, same as Linux, we use the same wpa_supplicant software > > The attached patch includes the official patch applied by the WPA > developers in https://w1.fi/cgit/hostap/commit/?id=a00e946 but > for our version of wpa_supplicant in /usr/src/contrib. > > Regards, STefan > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
Am 16.10.17 um 12:38 schrieb blubee blubeeme: > well, that's a cluster if I ever seen one. > > On Mon, Oct 16, 2017 at 6:35 PM, Poul-Henning Kamp > wrote: > >> >> In message > gmail.com> >> , blubee blubeeme writes: >> >>> Does anyone on FreeBSD know if it's affected by this? >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077 >> >> It is, same as Linux, we use the same wpa_supplicant software The attached patch includes the official patch applied by the WPA developers in https://w1.fi/cgit/hostap/commit/?id=a00e946 but for our version of wpa_supplicant in /usr/src/contrib. Regards, STefan Index: contrib/wpa/src/rsn_supp/wpa.c === --- contrib/wpa/src/rsn_supp/wpa.c (Revision 324638) +++ contrib/wpa/src/rsn_supp/wpa.c (Arbeitskopie) @@ -1534,6 +1534,14 @@ sm->ptk_set = 1; os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); os_memset(&sm->tptk, 0, sizeof(sm->tptk)); + /* +* This assures the same TPTK in sm->tptk can never be +* copied twice to sm->pkt as the new PTK. In +* combination with the installed flag in the wpa_ptk +* struct, this assures the same PTK is only installed +* once. +*/ + sm->renew_snonce = 1; } } ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
well, that's a cluster if I ever seen one. On Mon, Oct 16, 2017 at 6:35 PM, Poul-Henning Kamp wrote: > > In message gmail.com> > , blubee blubeeme writes: > > >Does anyone on FreeBSD know if it's affected by this? > >https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077 > > It is, same as Linux, we use the same wpa_supplicant software > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > p...@freebsd.org | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: cve-2017-13077 - WPA2 security vulni
In message , blubee blubeeme writes: >Does anyone on FreeBSD know if it's affected by this? >https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077 It is, same as Linux, we use the same wpa_supplicant software -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 p...@freebsd.org | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
cve-2017-13077 - WPA2 security vulni
Does anyone on FreeBSD know if it's affected by this? https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077 ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"