Thanks @hnyman, great news and speed resolving big problems!!!
I was just coming here to report this to the forum. To see that it has already been solved speaks volumes about the power of an active open-source community.
That is very good news! Will patching the router firmware be sufficient to mitigate this attack, or will the clients also need to be updated? And thank you very much to the developers for all their hard work! Amazing to see a fix already pushed
wpa_supplicant seems to be affected on the client side and also has patches ready: http://lists.infradead.org/pipermail/hostap/2017-October/037989.html
Hi! Total noob question: how do I install these patches? I currently run LEDE Reboot 17.01.0-rc2 r3131-42f3c1f / LuCI e306ee6c93c1ef600012f47e40dd75020d4ab555 branch (git-17.033.24085-e306ee6)
Thanks a lot for any help!
You wait for the 17.01.4 release and flash that.
(In any case, strange that you are still using the release candidate 17.01.0-rc2 instead of the actual releases 17.01.0, 17.01.1 17.01.2 or 17.01.3 ...)
PPPoE didn't work with the "actual" release when I switched to LEDE. rc2 was fine so I just stayed with that...
For Fedora I assume these fixes will be incorporated through regular updates or "dnf update"?
What about our 2 android phones?
And what about my Windows laptop?
Can this exploit still be triggered if the AP is patched, but the clients are not? And is there any way to check whether my devices are vulnerable or not?
You're missing important security patches in that case. If things break from one release to another, please report it to LEDE bugtracker so a fix can be pushed https://bugs.lede-project.org/
Running outdated versions is never a good solution
Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients.
For ordinary home users, your priority should be updating clients such as laptops and smartphones.
@AmbientSummer Interesting. But then why does the AP require these updates? Does this also effectively solve the issue? Or will the clients also need an update?
"you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes)" and something something "fast roaming".
Seems pretty clear that all clients need to upgrade. Some AP boxes just happen to also be configured as clients of an upstream AP.
EDIT: looks like the fast roaming attack is a second avenue, with patches available for hostapd. I don't know if fast roaming is enabled "by default". Source: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
The official FAQ seems to recommend concentrating on the clients and not worrying too much about the AP. Which is good for the millions of unpatchable APs out there! I think you're right to want a bit more clarification though.
Good news for the AP side, but bad for the millions of unpatchable clients out there (think IoT and lot of mobile phones)...
is there also going to be an update for CC as well?
Good stuff guys! Way to be ahead of the game...
I suppose Windows will be updated via "Windows Update" patches.
In my opinion the problem will be for TV/Phones.
Many brands don't update their firmware because they prefer to sell you a new TV/Phone/etc... with a patched version of wifi, instead of updating the old devices.
Sadly is another way to take people's money.
"Fast roaming" is not enabled by default in LEDE. It involves two or more AP's on the same network telling each other the client's key over the "backhaul" network. This allows a client to physically move to a new AP (e.g. walking down a hallway) and communicate data immediately by re-using its old key.
Since hostapd / wpad is a user-space program, likely one could put the new binary on an old version of the OS and still have it work. But if you're in an environment where over the air hacking is a concern, you should run the latest versions of everything.
So if we are on latest .... need a full flash? Or just upgrade hostapd package?
The fix is available now. Update wpad (or wpad-mini) and hostapd-common to the latest version.
wpad - 2016-12-19-ad02e79d-5
hostapd-common - 2016-12-19-ad02e79d-5
I have just updated my packages lists, but can still only see:
wpad - 2016-12-19-ad02e79d-4 and hostapd-common - 2016-12-19-ad02e79d-4
Am I doing something wrong?
Model - Linksys WRT1900AC
Firmware Version - LEDE Reboot 17.01.3 r3533-d0bf257c46 / LuCI lede-17.01 branch (git-17.232.21093-079f65a)