Very serious security problems with WPA2
-
News is breaking about a serious protocol-level security flaw in WPA2. Is it known yet what steps pfSense are taking, and a likely timeframe for the availability of a patch?
For details, see https://www.krackattacks.com/
-
We learned about the issue last night. We're looking into it.
-
PfSense is not going to implement their own patch for the vulnerabilities that I'm certain of, this belongs to the FreeBSD upstream. If it's not a case that the WPA2 encryption standard is seriously flawed and the vulnerabilities can be worked around without breaking compatibility you could expect a fix in couple of days
-
https://redmine.pfsense.org/issues/7951
-
EDIT This pre-patch mitigation only applies to those using 802.1x RADIUS.
I am not certain of this but I believe that PFSense's "Authentication Roaming Preauth" is the "Fast BSS Transition from IEEE 802.11r" a/k/a "FT", or "fast roaming" discussed in the hostapd vulnerability patch notes. This should be shut off to prevent one of the exploits of hostapd according to the stop-gap mitigations discussed in the hostapd patch notes for KRACK.
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
From the "possible mitigation steps" section:
"- For AP/hostapd and FT replay issue (CVE-2017-13082), it is possible to prevent the issue temporarily by disabling FT in runtime configuration, if needed before being able to update the implementations." -
If OpenBSD was aware of the problem since mid-july and have already deployed a patch, then why FreeBSD were only aware of the problem only a couple of days ago?
Ubiquiti is already up to date against this flaw. That's sad for pfSense.
-
OpenBSD is known for holding grudges against FreeBSD that they consider a less secure and a less professionally developed BSD variant and they don't feel they have to notify FreeBSD devs about security issues they are aware of and that might affect FreeBSD as well. Sad but true.
-
If OpenBSD was aware of the problem since mid-july and have already deployed a patch, then why FreeBSD were only aware of the problem only a couple of days ago?
Ubiquiti is already up to date against this flaw. That's sad for pfSense.
Why is it sad for pfSense? The latest snapshots already have the fix.
-
If OpenBSD was aware of the problem since mid-july and have already deployed a patch, then why FreeBSD were only aware of the problem only a couple of days ago?
Ubiquiti is already up to date against this flaw. That's sad for pfSense.
Because OpenBSD had a specific attack shown to them, so they broke the embargo, and as a direct result, that researcher will no longer give them long leadtimes. Further, the researcher showed where OpenBSD is still vulnerable.
Snapshots for 2.4.1 and 2.3.5 with fixes for this problem and other are already published.
Nor would I call Ubiquiti “up to date”. While they published firmware for UniFi and SG- series, they build a lot of other gear (e.g. cameras) that have not been updated.
Finally, what is “sad” here is your desperate cry for attention from a new account. Stop, or the ban hammer drops.
-
The vast majority of people are not going to update from snapshots for machines in use, unless they are lunatics.
However, I'd bet a regular update gets pushed soon for everyone.Still, I'm betting 90%+ of the hardware out there doesn't get updated. The vast majority of the APs, routers, phones etc etc currently being used just got obsoleted.
-
The vast majority of people are not going to update from snapshots for machines in use, unless they are lunatics.
Nor are the vast majority of pfSense users using WiFi.
I anticipate both 2.4.1 and 2.3.5 being released next week. (Ask me how I know.)
-
Correct. This has zero effect on my pfsense.
Just every other piece of equipment I have that uses wifi. I don't see this as a pfsense emergency for most people.
However events like this is why I keep my modems, routers, switches and APs as separate pieces and not integrated.
Replacing my AP will be simple. I can't be sure my phone will get an update though. I'd bet most won't other than relatively new models.
OK - I'll bite… How does a pfsense admin know what might be coming soon? (rhetorical question)
https://redmine.pfsense.org/issues/7951
-
I didn't meant to have attention. I tried to update my router yesterday and the latest version I could get is the 2.4.0, so I concluded that I couldn't have the fix because the link you (jwt) wrote below target the version 2.4.1.
I thought pfSense were late on the release, that's it. Sorry for the misinterpretation. -
I'm usually pushing all my traffic through a VPN to my remote pfsense. So, my phone WPA2 isn't patched and I'd bet it wont be patched for a while but the always on VPN will limit the damage anyone could do with a hack. You just need to treat every connection, even your own at home, like an insecure coffee shop connection til everything is either patched or replaced.
Pfsense is the least of your problems. It for sure has a patch on the way.
-
For the unifi stuff the "fix" they released was in the 3.9.3 beta code.. I am not aware of any updates to any of their stable firmware as of yet. And I monitor their release channels. Possible I missed it.. But last I saw when someone asked for the 3.8 line was they stated it would be released in upcoming days.
To be honest fixes for AP and such is for when they are used a wifi client, ie wireless uplink.. That is my understanding of the problem.. Am I wrong in that assumption? So this fix is not really doing much for the bigger issue. The bigger issue is the client side.. And iot devices prob be the big issue.. Good luck getting updates to those china camera's you got for 5$ on ebay ;) hehehe
What is the user base for pfsense as a wifi client?
This also another example of why you use different networks for your different device types.. Your iot devices should be on their own vlan via wifi.. Then all your other devices. Your laptop and such should be patched really quickly.. But those iot devices going to be farther behind.. But since your device traffic isn't on the same network as those that might get exploited as such.. Then its not as big a deal, etc.
Curious how far nests update is out? Or harmony hub, tp-link smart lightbulbs and elec switches, etc.
-
I'm telling you. It doesn't have to be off-brand junk. Anything with a few years on it even if is top of the line name brand stuff is likely to just be ignored.
I think the vendors will be happy to have a good reason to push people into buying new hardware. Most vendors will see this as a sales opportunity.
-
This is quite possible true.. But stuff like alexa, nest, harmony - these big branded stuff better update their shit.. Or there will be a public uproar ;)
Nest for example.. Not something you need to replace every few years.. Should get a good 5 years out of such device at a min.. The protect has a life that they state of 10 years… So they better freaking update its code ;)
-
Hacked house… Awesome.
-
I have seen that amazon and nest and tp-link have announced working on it and patches to follow, etc…. Have not seen anything from logitech (harmony hub) as of yet..
Lot of freaking iot wifi devices ;)
