Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 33

Thread: WPA2 situation

  1. #21
    Join Date
    Jun 2017
    Location
    Australia
    Posts
    582

    Default Re: WPA2 situation

    Heehee, i'd already been feeling guilty, all by myself anyway, at having skipped the past >week's worth of upgrades coz i was waiting for p5.11.1 [which still seems not available yet in TW repos; both my PCs are still on p5.10.5], but this thread has now shamed me into action. Thus Lappy's dup is underway, as i write this now on Tower. I continue to not understand whether my earlier-posted pessimistic conclusion is technically valid... or stupid... but i'm proceeding anyway. What i do want to avoid however is some false sense of security, if in fact i will indeed still be vulnerable via the modem-router thingie.

    Said thingie [owned by me, not ISP] is a "TP-Link TD-VG5612 300Mbps Wireless N VoIP VDSL/ADSL ModemRouter". Over the weekend i shall try to discover with research if it is compatible with openWRT, & if it is, what i need to do.

  2. #22
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    4,949

    Default Re: WPA2 situation

    Quote Originally Posted by malcolmlewis View Post
    Nope, Check the changelog?
    BTW, Leap 42.2 seems to be OK:
    Code:
     > rpm -q --changelog wpa_supplicant | head -n 21
    * Mo Okt 16 2017 ro@suse.de
    - Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088):
      0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
      - not applied, since sta->added_unassoc were only implemented in Feb 16 "AP: Add support for full station state"
      0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
      - added with context edit
      0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
      - added with context edit
      0004-Prevent-installation-of-an-all-zero-TK.patch
      - removed parts about tk_len not yet in the code
      0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
      - applied
      0006-TDLS-Reject-TPK-TK-reconfiguration.patch
      - added with context edit
      0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
      - added integrating changes from commit implementing this 03ed0a52393710be6bdae657d1b36efa146520e5
      0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
      - added with context edit
     >

  3. #23
    Join Date
    Jun 2017
    Location
    Australia
    Posts
    582

    Default Re: WPA2 situation

    Quote Originally Posted by GooeyGirl View Post
    ...the modem-router thingie.

    Said thingie [owned by me, not ISP] is a "TP-Link TD-VG5612 300Mbps Wireless N VoIP VDSL/ADSL ModemRouter". Over the weekend i shall try to discover with research if it is compatible with openWRT, & if it is, what i need to do.
    No good. Searched the openWRT database for it; no hits. Searched the DD-WRT database for it; no hits. Looks like my modem-router will stay a sitting duck.

    On both those sites i got the very distinct impression that they target dedicated routers. That's not what i have; mine is a modem-router.

  4. #24
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: WPA2 situation

    Quote Originally Posted by GooeyGirl View Post
    No good. Searched the openWRT database for it; no hits. Searched the DD-WRT database for it; no hits. Looks like my modem-router will stay a sitting duck.

    On both those sites i got the very distinct impression that they target dedicated routers. That's not what i have; mine is a modem-router.
    No hits probably only means no one is paying attention or has a patch ready.

    See the patch documentation provided by Miuku in the above post and my response.

    There are multiple vulnerabilities (the documentation lists the CVE) and there are separate issues for both the Server(AP) and client(station) sides, at least in the Linux world. Considering that there are practically no APs in existence that isn't running some form of Linux and a great majority of those can't be updated (see my slide deck describing how common Busybox is), those will be problems well into the future. But, if anyone is running an openSUSE AP (running hostapd), install the patch or update.

    Client-side problems are different although somewhat broadly similar in that an attacker attempts to reset the connection, kicking off the original User but hijacking the running session. Again, patch or update.

    Since DD-WRT is a Linux distro, it's definitely affected and needs to be patched.
    That does not mean patching clients solves the DD-WRT vulnerabilities, and does not meant that client issues can be solved by patching DD-WRT.

    And, it does not matter what kind of Gateway it is, eg modem, modem-router, etc. All that matters is whether it's running hostapd to provide AP WiFi services.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #25
    Join Date
    Jun 2008
    Location
    East of Podunk
    Posts
    33,255
    Blog Entries
    15

    Default Re: WPA2 situation

    On Fri 20 Oct 2017 02:16:02 PM CDT, tsu2 wrote:

    GooeyGirl;2842335 Wrote:
    > No good. Searched the -openWRT- database for it; no hits. Searched the
    > -DD-WRT- database for it; no hits. Looks like my modem-router will
    > stay a sitting duck.
    >
    > On both those sites i got the very distinct impression that they
    > target dedicated -routers-. That's not what i have; mine is a
    > -modem-router-.


    No hits probably only means no one is paying attention or has a patch
    ready.

    See the patch documentation provided by Miuku in the above post and my
    response.

    There are multiple vulnerabilities (the documentation lists the CVE) and
    there are separate issues for both the Server(AP) and client(station)
    sides, at least in the Linux world. Considering that there are
    practically no APs in existence that isn't running some form of Linux
    and a great majority of those can't be updated (see my slide deck on
    Busybox), those will be problems well into the future. But, if anyone is
    running an openSUSE AP (running hostapd), install the patch or update.

    Client-side problems are different although somewhat broadly similar in
    that an attacker attempts to reset the connection, kicking off the
    original User but hijacking the running session. Again, patch or update.

    Since DD-WRT is a Linux distro, it's definitely affected and needs to be
    patched.
    That does not mean patching clients solves the DD-WRT vulnerabilities,
    and does not meant that client issues can be solved by patching DD-WRT.

    And, it does not matter what kind of Gateway it is, eg modem,
    modem-router, etc. All that matters is whether it's running hostapd to
    provide AP WiFi services.

    TSU


    Hi
    Or build your own.... get a ESPRESSObin SBUD102 64 Bit Single Board
    Computer Network Switch and get openSUSE ARM (or WRT) running on it

    I'm using multiple gl-inet mt300n mini routers as bridges, nice little
    units, serial access etc.

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    openSUSE Leap 42.2|GNOME 3.20.2|4.4.87-18.29-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


  6. #26
    Join Date
    Jun 2017
    Location
    Australia
    Posts
    582

    Default Re: WPA2 situation

    Quote Originally Posted by tsu2 View Post
    No hits probably only means no one is paying attention or has a patch ready.

    See the patch documentation provided by Miuku in the above post and my response.

    There are multiple vulnerabilities (the documentation lists the CVE) and there are separate issues for both the Server(AP) and client(station) sides, at least in the Linux world. Considering that there are practically no APs in existence that isn't running some form of Linux and a great majority of those can't be updated (see my slide deck describing how common Busybox is), those will be problems well into the future. But, if anyone is running an openSUSE AP (running hostapd), install the patch or update.

    Client-side problems are different although somewhat broadly similar in that an attacker attempts to reset the connection, kicking off the original User but hijacking the running session. Again, patch or update.

    Since DD-WRT is a Linux distro, it's definitely affected and needs to be patched.
    That does not mean patching clients solves the DD-WRT vulnerabilities, and does not meant that client issues can be solved by patching DD-WRT.

    And, it does not matter what kind of Gateway it is, eg modem, modem-router, etc. All that matters is whether it's running hostapd to provide AP WiFi services.

    TSU
    Thank you. I'm afraid that i am just too much of a mullet-head to be able to comprehend all this, Most of the jargon, & lots of the structural concepts, are just so far out of my range of personal experience & knowledge [i have no IT background at all] that they could be written in Latin & i'd still have a similar grasp [ie, not]. If the link to which you allude is http://w1.fi/security/2017-1/wpa-pac...d-messages.txt , then i did read that at the time, & just now re-read it... it's simply over my head. I also read your reply, & your presentation, t'other day as well. Nothing i have read has been able to allow me to grasp how to protect myself, if that's even possible anymore. My Laptop is now dup'd to 20171018, & Tower is currently 120/1431th of the way to that as well. That might or might not help me, but the issue of the modem-router remains large in my mind. Last night before searching those sites i mentioned, i reviewed the OEM's page for my model... the slackos have not updated their FW since mid last year.

    And to answer Malcolm's subsequent suggestion, here now, not much of what you kindly wrote [thank you] made specific sense to me, but yes i see the generality of me maybe "building my own"... notwithstanding i have no experience & knowledge about doing so.

    Writing this, i suddenly remembered my Moto G phone. It runs Android 6, so that's super-lucky, isn't it... explicitly named in the reports as being severely vulnerable. Motorola have a **** record of releasing updates, so i shan't hold my breath for them. I suppose there's the root & flash CyanogenMod possibility... if i feel like gambling that i don't brick it & then have no phone - ha.

    The global breadth of this vulnerability is simply stunning. Lots of clueless people like me are possibly going to get burned.

  7. #27
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: WPA2 situation

    For topics like this,
    I try to write to a wide audience.
    Even if you can't grasp the deeper content, the first few paragraphs saying that there are <different> vulnerabilities on <both> AP and station are important.
    That means that both the AP and the client machines have to be patched to completely address all problems... else, if you patch only one side, the other side will still be exploitable.

    Beyond that, a person can read the original documentation for the technical details or what I jabber about interpreting those details... But, those details are important only for those who want to evaluate the <degree> of severity by easy or hard it might be to exploit and what the end result would be.

    If those details about what the consequences might be is not important, the only <real> basic importance is to understand what needs to be patched, and that is all involved devices, AP and connecting machines running any version of Linux, Unix and likely Windows.

    As for patching Android phones...
    Unfortunately that's a lost cause (something I covered in my presentation as well).
    Android is created and maintained by Google, and then licensed(for free) to Carriers to be used on hardware created by other manufacturers. The licensing allows the Carriers to customize, eg add their own apps, other apps, and to some degree modify apps. This enables the Carriers to load up advertising and other ways of making money (Google makes their own money off provided apps like Google search and forces adoption of Google services which in turn also generate money).

    But, a consequence of this licensing is that if Carriers are permitted to highly modify Android, then the Carrier then must assume responsibility for the patching and re-distributing process... And
    1. Carriers don't want to spend that kind of money to debug and write patches
    2. Carriers have no incentive to patch phones when they'd rather you purchase a new phone with the latest Android version and patches.

    So, unless there is some kind of regulation, market forces alone are not enough to ensure the Consumer's interest.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #28
    Join Date
    Jun 2017
    Location
    Australia
    Posts
    582

    Default Re: WPA2 situation

    Thank you TSU for your further interesting remarks [& your patience].

    Quote Originally Posted by tsu2 View Post
    Even if you can't grasp the deeper content, the first few paragraphs saying that there are <different> vulnerabilities on <both> AP and station are important.
    That means that both the AP and the client machines have to be patched to completely address all problems... else, if you patch only one side, the other side will still be exploitable.

    ... the only <real> basic importance is to understand what needs to be patched, and that is all involved devices, AP and connecting machines running any version of Linux, Unix and likely Windows.
    TSU
    Yes, i have grasped that i need to patch all my "devices" [though as i initially wrote, given my Tower has NO WiFi at all, i still can't see how it was vulnerable] ... hence both Tower & Lappy now have TW 20171018, ie, i have placed my faith that TW is now protecting me. This still leaves the phone [discussed below], & my modem-router. Re the latter, i remembered that stored away in my cupboard is a decade-or-more-old WiFi router [Belkin F5D7231-4], which i abandoned long ago due to a fault [it kept intermittently going offline & needing me to reboot it, from memory]. I've not yet done so, but i'm wondering if maybe a plan like this could work:
    1. Research if there's an openWRT or a DD-WRT firmware version for this old router
    2. If yes, perform that process, then research how to patch that new FW to eliminate the vulnerability
    3. Insert said router into my present wall socket - cable - modemrouter - Ethernet cable - Tower chain
    4. Enable router's WiFi, disable modem-router's [unpatchable] WiFi, hope to goodness that the router's old bad-habit of needing frequent reboots was a FW not HW fault.
    5. Lappy's WiFi connection to internet would then be "secure" again [ie, until the next exploit/s become known].
    6. Happy days...?



    Quote Originally Posted by tsu2 View Post
    As for patching Android phones...
    Unfortunately that's a lost cause (something I covered in my presentation as well).
    Android is created and maintained by Google, and then licensed(for free) to Carriers to be used on hardware created by other manufacturers. The licensing allows the Carriers to customize, eg add their own apps, other apps, and to some degree modify apps. This enables the Carriers to load up advertising and other ways of making money (Google makes their own money off provided apps like Google search and forces adoption of Google services which in turn also generate money).


    But, a consequence of this licensing is that if Carriers are permitted to highly modify Android, then the Carrier then must assume responsibility for the patching and re-distributing process... And
    1. Carriers don't want to spend that kind of money to debug and write patches
    2. Carriers have no incentive to patch phones when they'd rather you purchase a new phone with the latest Android version and patches.


    So, unless there is some kind of regulation, market forces alone are not enough to ensure the Consumer's interest.
    TSU
    I'm in Australia, & i suspect our telecommunications regulation & commercial scenarios might be different to yours. Here we can buy mobile phones direct from one of the three carriers [Telstra, Optus, Vodafone], or from one of the myriad resellers. In some of those cases the seller might have customised Android, in which case i assume much of what you wrote applies. However for all the other phones that were not customised by anyone post-OEM, which includes all phones bought, like mine, from a reseller not a carrier, the Android is "pure". I deliberately put that in inverted commas, because in some cases it is genuinely pure Android, whilst in other cases it has not been changed by any actual network carrier [given it was not bought from them] but it was modified by the OEM [eg, Motorola]. In the case of phones like mine, your "enables the Carriers to load up advertising" scenario simply never arises... no carrier had access to my phone before i bought it.

    That said, even though no carrier here has any influence/control/responsibility to patch my phone, as i indicated, i have very little belief that my phone's OEM Motorola will soon, if ever, provide a patch. Several years ago i flashed a replacement ROM to my Samsung Galaxy tablet [CyanogenMod] to get newer Android versions, & better features & functions [& multiple ongoing updates] once i realised that Samsung were missing in action. That's why i mentioned CM earlier; maybe this might also be applicable for my phone. I've not yet checked if CM have a current ROM for my phone, & if it is patched, but if they do, then i imagine it's a serious option for me to consider, rather than just wait for Mororola. Certainly i agree with what i think is your general message that if i wait for others to "look after me" then i'll be a very very old woman before that ever/never occurs. I've deliberately not mentioned til now anything about just buying a new phone, as i vehemently object to contemporary disposable culture.

  9. #29
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: WPA2 situation

    These WiFi WPA2 vulnerabilities only apply to the following

    - Linux distros that run hostapd which is the standard way to support running as a WiFi Access Point
    - Running wpa_supplicant. wpa_supplicant is the standard and practically only way for a Linux machine to connect using WPA to an Access Point. wpa_supplicant is installed by default in all openSUSE, but of course is not used unless connecting using WiFi.
    - Other OS like Windows will use something other than wpa_supplicant, so YMMV.

    This topic does not extend to any other device or configuration like non-WiFi routers and host machines.

    As for Android licensing and support, it's my understanding that it's fundamental and crosses all borders and nationalities, it's not a regulation or political practice... It's a universal legal and technical issue that's pretty simple... Google pushes updates only for those phones it manufactures like the Note. But, for all other carriers and manufacturers like Verizon, Samsung, LG, etc updates become the responsibility of the licensee, not Google.

    This is why Note owners will likely get an update to patch this vulnerability but highly unlikely for anyone else including carrier-branded Note owners. It all comes down to who wrote the factory image on your device.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  10. #30
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    4,949

    Default Re: WPA2 situation

    The openSUSE Security Alert is here: <https://lists.opensuse.org/opensuse-.../msg00024.html> -- "openSUSE-SU-2017:2755-1: important: Security update for wpa_supplicant".

    The SUSE Security Alert is here: <https://www.suse.com/de-de/support/u...su-20172752-1/> -- "SUSE-SU-2017:2752-1 Security update for wpa_supplicant".

    There is a German language list (being continually updated) of manufacturer comments and updates here: <https://www.heise.de/security/meldun...n-3863455.html>.
    • The URLs in the manufacturer list point mostly to English language information.
    • At least one exception is AVM (FRITZ!Box) but, English language notes are available -- for example for the FRITZ!WLAN Repeater 1750E: <http://ftp.avm.de/fritz.box/fritz.wl...lisch/info.txt>

Page 3 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •