Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Very serious security problems with WPA2

    Scheduled Pinned Locked Moved Wireless
    19 Posts 8 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pakman
      last edited by

      News is breaking about a serious protocol-level security flaw in WPA2. Is it known yet what steps pfSense are taking, and a likely timeframe for the availability of a patch?

      For details, see https://www.krackattacks.com/

      1 Reply Last reply Reply Quote 0
      • ivorI
        ivor
        last edited by

        We learned about the issue last night. We're looking into it.

        Need help fast? Our support is available 24/7 https://www.netgate.com/support/

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by

          PfSense is not going to implement their own patch for the vulnerabilities that I'm certain of, this belongs to the FreeBSD upstream. If it's not a case that the WPA2 encryption standard is seriously flawed and the vulnerabilities can be worked around without breaking compatibility you could expect a fix in couple of days

          1 Reply Last reply Reply Quote 0
          • J
            jwt Netgate
            last edited by

            https://redmine.pfsense.org/issues/7951

            1 Reply Last reply Reply Quote 0
            • B
              bfeitell
              last edited by

              EDIT This pre-patch mitigation only applies to those using 802.1x RADIUS.

              I am not certain of this but I believe that PFSense's "Authentication Roaming Preauth" is the "Fast BSS Transition from IEEE 802.11r" a/k/a "FT", or "fast roaming" discussed in the hostapd vulnerability patch notes.  This should be shut off to prevent one of the exploits of hostapd according to the stop-gap mitigations discussed in the hostapd patch notes for KRACK.

              https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

              From the "possible mitigation steps" section:
              "- For AP/hostapd and FT replay issue (CVE-2017-13082), it is possible to prevent the issue temporarily by disabling FT in runtime configuration, if needed before being able to update the implementations."

              1 Reply Last reply Reply Quote 0
              • M
                mxcprod
                last edited by

                If OpenBSD was aware of the problem since mid-july and have already deployed a patch, then why FreeBSD were only aware of the problem only a couple of days ago?

                Ubiquiti is already up to date against this flaw. That's sad for pfSense.

                1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  OpenBSD is known for holding grudges against FreeBSD that they consider a less secure and a less professionally developed BSD variant and they don't feel they have to notify FreeBSD devs about security issues they are aware of and that might affect FreeBSD as well. Sad but true.

                  1 Reply Last reply Reply Quote 0
                  • ivorI
                    ivor
                    last edited by

                    @mxcprod:

                    If OpenBSD was aware of the problem since mid-july and have already deployed a patch, then why FreeBSD were only aware of the problem only a couple of days ago?

                    Ubiquiti is already up to date against this flaw. That's sad for pfSense.

                    Why is it sad for pfSense? The latest snapshots already have the fix.

                    Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                    1 Reply Last reply Reply Quote 0
                    • J
                      jwt Netgate
                      last edited by

                      @mxcprod:

                      If OpenBSD was aware of the problem since mid-july and have already deployed a patch, then why FreeBSD were only aware of the problem only a couple of days ago?

                      Ubiquiti is already up to date against this flaw. That's sad for pfSense.

                      Because OpenBSD had a specific attack shown to them, so they broke the embargo, and as a direct result, that researcher will no longer give them long leadtimes.  Further, the researcher showed where OpenBSD is still vulnerable.

                      Snapshots for 2.4.1 and 2.3.5 with fixes for this problem and other are already published.

                      Nor would I call Ubiquiti “up to date”.  While they published firmware for UniFi and SG- series, they build a lot of other gear (e.g. cameras) that have not been updated.

                      Finally, what is “sad” here is your desperate cry for attention from a new account.  Stop, or the ban hammer drops.

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi
                        last edited by

                        The vast majority of people are not going to update from snapshots for machines in use, unless they are lunatics. 
                        However, I'd bet a regular update gets pushed soon for everyone.

                        Still, I'm betting 90%+ of the hardware out there doesn't get updated.  The vast majority of the APs, routers, phones etc etc currently being used just got obsoleted.

                        1 Reply Last reply Reply Quote 0
                        • J
                          jwt Netgate
                          last edited by

                          @kejianshi:

                          The vast majority of people are not going to update from snapshots for machines in use, unless they are lunatics.

                          Nor are the vast majority of pfSense users using WiFi.

                          I anticipate both 2.4.1 and 2.3.5 being released next week. (Ask me how I know.)

                          1 Reply Last reply Reply Quote 0
                          • K
                            kejianshi
                            last edited by

                            Correct.  This has zero effect on my pfsense.

                            Just every other piece of equipment I have that uses wifi.  I don't see this as a pfsense emergency for most people.

                            However events like this is why I keep my modems, routers, switches and APs as separate pieces and not integrated.

                            Replacing my AP will be simple.  I can't be sure my phone will get an update though.  I'd bet most won't other than relatively new models.

                            OK - I'll bite…  How does a pfsense admin know what might be coming soon?  (rhetorical question)

                            https://redmine.pfsense.org/issues/7951

                            1 Reply Last reply Reply Quote 0
                            • M
                              mxcprod
                              last edited by

                              I didn't meant to have attention. I tried to update my router yesterday and the latest version I could get is the 2.4.0, so I concluded that I couldn't have the fix because the link you (jwt) wrote below target the version 2.4.1.
                              I thought pfSense were late on the release, that's it. Sorry for the misinterpretation.

                              1 Reply Last reply Reply Quote 0
                              • K
                                kejianshi
                                last edited by

                                I'm usually pushing all my traffic through a VPN to my remote pfsense.  So, my phone WPA2 isn't patched and I'd bet it wont be patched for a while but the always on VPN will limit the damage anyone could do with a hack.  You just need to treat every connection, even your own at home, like an insecure coffee shop connection til everything is either patched or replaced.

                                Pfsense is the least of your problems.  It for sure has a patch on the way.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  For the unifi stuff the "fix" they released was in the 3.9.3 beta code.. I am not aware of any updates to any of their stable firmware as of yet.  And I monitor their release channels.  Possible I missed it.. But last I saw when someone asked for the 3.8 line was they stated it would be released in upcoming days.

                                  To be honest fixes for AP and such is for when they are used a wifi client, ie wireless uplink..  That is my understanding of the problem.. Am I wrong in that assumption? So this fix is not really doing much for the bigger issue.  The bigger issue is the client side..  And iot devices prob be the big issue.. Good luck getting updates to those china camera's you got for 5$ on ebay ;) hehehe

                                  What is the user base for pfsense as a wifi client?

                                  This also another example of why you use different networks for your different device types.. Your iot devices should be on their own vlan via wifi.. Then all your other devices.  Your laptop and such should be patched really quickly.. But those iot devices going to be farther behind..  But since your device traffic isn't on the same network as those that might get exploited as such..  Then its not as big a deal, etc.

                                  Curious how far nests update is out?  Or harmony hub, tp-link smart lightbulbs and elec switches, etc.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kejianshi
                                    last edited by

                                    I'm telling you.  It doesn't have to be off-brand junk.  Anything with a few years on it even if is top of the line name brand stuff is likely to just be ignored.

                                    I think the vendors will be happy to have a good reason to push people into buying new hardware.  Most vendors will see this as a sales opportunity.

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      This is quite possible true.. But stuff like alexa, nest, harmony - these big branded stuff better update their shit.. Or there will be a public uproar ;)

                                      Nest for example.. Not something you need to replace every few years.. Should get a good 5 years out of such device at a min.. The protect has a life that they state of 10 years…  So they better freaking update its code ;)

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        kejianshi
                                        last edited by

                                        Hacked house…  Awesome.

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          I have seen that amazon and nest and tp-link have announced working on it and patches to follow, etc….  Have not seen anything from logitech (harmony hub) as of yet..

                                          Lot of freaking iot wifi devices ;)

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.