Re: KRACK Attack against WPA2

Does the patch above for CC fix hostap and wpa_supplicant?

Or only hostap?

If OpenWRT is being used on a client device to connect to another WiFi network, does the above patch address this?

Thanks for your help.

Re: KRACK Attack against WPA2

Is it possible to patch Barrier Breaker? Or is an upgrade the only path?

28

Re: KRACK Attack against WPA2

adamm wrote:

Is it possible to patch Barrier Breaker? Or is an upgrade the only path?

Barrier Breaker hasn't seen any security support since 2015, there are plenty more serious security issues (ones that don't require physical proximity) present in Barrier Breaker independent of the components affected by KRACK. Why do you care so much about this one, if you obviously didn't bother about security support for at least 2 (almost 3) years?

Re: KRACK Attack against WPA2

This device isn't on the internet, vun's that affect it should be patched.

Re: KRACK Attack against WPA2

What the fuck is it with people and Barrier Breaker? Barrier Breaker has hundreds of bugs that have bin fixed over the years. Firmware / software moovs on gets fixs get over it people and just upgrade for fuck sake!

Re: KRACK Attack against WPA2

Heads up: new LEDE packages were patched and available:

    from:

    hostapd_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
    hostapd-common_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
    hostapd-mini_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
    hostapd-utils_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk

    to:

    hostapd_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
    hostapd-common_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
    hostapd-mini_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
    hostapd-utils_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk

    from:

    wpad_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
    wpad-mesh_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
    wpad-mini_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk

    to:

    wpad_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
    wpad-mesh_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
    wpad-mini_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk

    from:

    wpa-supplicant_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
    wpa-supplicant-mesh_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
    wpa-supplicant-mini_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
    wpa-supplicant-p2p_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk

    to:

    wpa-supplicant_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
    wpa-supplicant-mesh_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
    wpa-supplicant-mini_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
    wpa-supplicant-p2p_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk

I have couple of OpenWRT routers as well, hopefully there is a way to "reuse" LEDE  packages or we will all be forced to go to LEDE ...

Re: KRACK Attack against WPA2

Sorry for my newbie question: Will there be a documentation for all non-super-openwrt pros how to fix the wpa2 security issue? I don't understand that much what is written here but in german online media it is hyped to a big issue - but the inital topic here seems to be from 2009?!

Thanks and kind regards, dirk

Re: KRACK Attack against WPA2

We've decided that for CC we'll do a bugfix release (CC.1a or CC.2), which will only include the upgraded dropbear, *ssl, dnsmasq, and hostapd binaries. The kernel will remain the same, as upgrading that will require going through a whole RC cycle, which we're not geared up to.

The builds are running, will be available in the next couple days for the targets supported by CC.

Regards,
-w-

Re: KRACK Attack against WPA2

Not wishing to stir tapper's quiet patience and help into life again, but I have a Buffalo WHR300HP with no version number that I can see. It is, as tapper so nicely cautions me, running OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530)

I am happy to try and upgrade, but no idea what the LEDE stuff is about. I checked the OpenWRT main downloads page and it shows 15.05.. so obviously that's not it - or is it?

I have tried searching the site for what I need to be using for an upgrade but nothing helps.

So guys, a little more patience for those of not living their life on this website and please feed us starving newbies some oats rather than coal.

Can I upgrade this Buffalo?
To what?
Where do I get the file(s) for a simple install?

Thank you very much.

35 (edited by justme123 2017-10-17 20:32:04)

Re: KRACK Attack against WPA2

@wigyori

I salute the fast response to the WPA2 security issue, many thanks in advance for the bugfix release!

While you're updating some additional packages, I'd kindly ask you (& the other developers) to consider rebuilding OpenVPN too, since it looks broken - Point-To-Point connections are not working - in the last OpenWRT CC release.
For reference:
https://forum.openwrt.org/viewtopic.php?id=70755

And the documentation according to which it should work:
https://wiki.openwrt.org/doc/howto/vpn. … vpn_set-up

36 (edited by makedir 2017-10-17 20:36:53)

Re: KRACK Attack against WPA2

Grund_Grunf wrote:

Heads up: new LEDE packages were patched and available:

...

I have couple of OpenWRT routers as well, hopefully there is a way to "reuse" LEDE  packages or we will all be forced to go to LEDE ...

But the trunk builds are fixed, no? Not sure why we need LEDE builds then...

hostapd-common_2016-06-15-1_ar71xx.ipk
wpad-mini_2016-06-15-1_ar71xx.ipk

Those should have the patches implemented, because they were comitted already yesterday, and if not then the next buildbot ones.

Question: Why do I also need an updated version of dnsmasq? I am still on 2.75-7, does this have a major security flaw? But its not reachable over WAN anyway. So whats the risk of using it?

Re: KRACK Attack against WPA2

makedir wrote:

Those should have the patches implemented, because they were comitted already yesterday, and if not then the next buildbot ones.

Correct, for trunk, the buildbots have (should have) worked through the daily builds.

makedir wrote:

Question: Why do I also need an updated version of dnsmasq? I am still on 2.75-7, does this have a major security flaw? But its not reachable over WAN anyway. So whats the risk of using it?

Yes, there are major issues with dnsmasq before 2.78, so that'll also get a version bump in the CC build. Though, you are mostly safe if you're running an internal-only dnsmasq.

https://www.theregister.co.uk/2017/10/02/dnsmasq_flaws/

Regards,
-w-

Re: KRACK Attack against WPA2

MyNewRouter wrote:

Not wishing to stir tapper's quiet patience and help into life again, but I have a Buffalo WHR300HP with no version number that I can see. It is, as tapper so nicely cautions me, running OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530)

I am happy to try and upgrade, but no idea what the LEDE stuff is about. I checked the OpenWRT main downloads page and it shows 15.05.. so obviously that's not it - or is it?

I have tried searching the site for what I need to be using for an upgrade but nothing helps.

So guys, a little more patience for those of not living their life on this website and please feed us starving newbies some oats rather than coal.

Can I upgrade this Buffalo?
To what?
Where do I get the file(s) for a simple install?

Thank you very much.

Hi mate sorry for my rant but people are asking the same thing over and over again with out being nice or asking mr google. Now I would love to help you out. To update your router some how you will need to find out what model router you have or it's impossible to make sure that your router will not end up as a brick! If you find out what router you have look for it's sysupgrade file here:
https://downloads.lede-project.org/rele … 3/targets/
You will find out what target your router is by googleing it's name and looking on the LEDE or OpenWRT wiki. You can flash a new ver of LEDE or OpenWRT if you don't save settings. Just untick the box to save settings. To all people on here you really do need to upgrade to the latest firmware your router can run. You would not runn windows 95 on your PC So pleas dont run verry old firmware on your router. Having up-to-date firmware is more important than a new android or windows update. If you can hack a router you can read all traffic that flows through it. EG if i hacked your phone I could read your texts if i could hack your router i can read your life! (rofl)

Re: KRACK Attack against WPA2

tapper wrote:

If you find out what router you have look for it's sysupgrade file here:
https://downloads.lede-project.org/rele … 3/targets/
You will find out what target your router is by googleing it's name and looking on the LEDE or OpenWRT wiki.

Instead of going the most difficult way (as described above), just go to https://lede-project.org/toh/views/toh_fwdownload

Re: KRACK Attack against WPA2

tapper wrote:

Hi mate sorry for my rant but people are asking the same thing over and over again with out being nice or asking mr google. Now I would love to help you out.

smile It's all good tapper.
The router is a Buffalo WHR-300HP with OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530)

Using the link tmo26 supplied, (thank you tmo26) I can find a WHR-300HP2 but my router does not mention a Version number.

So, am I screwed for a LEDE upgrade - or - should I risk using the file defined for the WHR-300HP2?

Thanks

Re: KRACK Attack against WPA2

MyNewRouter wrote:
tapper wrote:

Hi mate sorry for my rant but people are asking the same thing over and over again with out being nice or asking mr google. Now I would love to help you out.

smile It's all good tapper.
The router is a Buffalo WHR-300HP with OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530)

Using the link tmo26 supplied, (thank you tmo26) I can find a WHR-300HP2 but my router does not mention a Version number.

So, am I screwed for a LEDE upgrade - or - should I risk using the file defined for the WHR-300HP2?

Thanks

Hi mate i looked on google and could not find out just what file to use. There seems to be a few different Buffalo  routers with very SIMULA names. You could do with googling and looking at some picks to identify just witch one you have. I am sorry i cant help out more. Try and make a new thread about this.

Re: KRACK Attack against WPA2

WHR-300HP and WHR-300HP2 have nothing in common:

https://wikidevi.com/wiki/Buffalo_WHR-300HP
https://wikidevi.com/wiki/Buffalo_WHR-300HP2

Re: KRACK Attack against WPA2

tmo26 wrote:

WHR-300HP and WHR-300HP2 have nothing in common:

OK, thanks. Weird model numbering.

Re: KRACK Attack against WPA2

I hope many excellent articles will be posted on your site. Thank you very much for this and continue to share.

Re: KRACK Attack against WPA2

So, I'm trying to understand this vulnerability. As far I read it is Wi-Fi level vulnerability and affects routers as they provide the functionality of Wi-Fi. If it is protected then our devices are protected? I have a verizon carrier, would it be affected as well?

Re: KRACK Attack against WPA2

slh wrote:
HbbS wrote:

The router in question is:
TP-Link TL-WR2543N/ND v1
OpenWrt Attitude Adjustment 12.09 / LuCI 0.11.1 Release (0.11.1)

HbbS that router has 8 MB flash and 64 MB RAM, otherwise being a bog standard ar71xx device, you really shouldn't be running 12.09 (which hasn't seen any kind of security support since at least 2014 - and yes, there are worse things to worry about with that release (e.g. kernel, dnsmasq, dropbear, pppd, ...) than just KRACK.

As mentioned previously in this thread, upgrading to LEDE 17.01.3 (and then to 17.01.4, once it becomes avaiable) is probably the best course of action. Either way, sticking to 12.09 or 14.07 does not make any sense for devices that can run the current releases comfortably.

Thanks for the tip. Sorry for the late response.

If I upgrade to the latest LEDE will my OpenWrt settings be kept? (wifi channels, firewall rules..)

I just want to be sure since my openwrt installed version is an old one.

Please, let me know.

Thanks.

Re: KRACK Attack against WPA2

HbbS wrote:

If I upgrade to the latest LEDE will my OpenWrt settings be kept? (wifi channels, firewall rules..)

LEDE recommends that the "Keep Settings" checkbox NOT be checked:
https://lede-project.org/docs/guide-qui … grade.luci
https://lede-project.org/docs/guide-qui … epsettings

I'll be upgrading several WRT1900AC and WRT1900ACS routers from OpenWrt 15.05.1 but my configurations are basic so this isn't a huge pain. Small price to have a current, supported distro IMHO.

Re: KRACK Attack against WPA2

wigyori wrote:

We've decided that for CC we'll do a bugfix release (CC.1a or CC.2), which will only include the upgraded dropbear, *ssl, dnsmasq, and hostapd binaries. The kernel will remain the same, as upgrading that will require going through a whole RC cycle, which we're not geared up to.

The builds are running, will be available in the next couple days for the targets supported by CC.

Regards,
-w-

Are these cooked yet?  Not seeing a link to these anywhere like here:
https://wiki.openwrt.org/start
https://wiki.openwrt.org/about/history

LEDE has upgraded the relevant packages for the existing 17.01.x releases so one can just OPKG the new version in place. 

This is a much easier and preferred approach for many I suspect.  Just do not have the time to go back and do an entire refresh of my router with all the other packages and config I have done over the last 1-2 years. 

Alternatively in post 31 Grund_Grunf asked the question....

Grund_Grunf wrote:

Heads up: new LEDE packages were patched and available:

    [list of packages omitted]

I have couple of OpenWRT routers as well, hopefully there is a way to "reuse" LEDE  packages or we will all be forced to go to LEDE ...

... which I have not seen an answer to.

PC-Engines ALIX 2D13 CC 15.05 RC2 (Router - OpenVPN Server)
HooToo TM02 CC 15.05 (Travel Router - OpenVPN Client)
GLi-AR150 CC15.05/GLi 2.13 (Travel Router - OpenVPN Client)
Kingston MLWG2 CC15.05 (Travel Router - OpenVPN Client, mini-DLNA)

Re: KRACK Attack against WPA2

This might ease the transition.

No, really, call me newtown.
Oh, what quackery is this, that ruffles feathers so.
I'm not here, but then, you're not all there.
c7v2|c5v1 & WRTxx00ACx Images: Stuff

50

Re: KRACK Attack against WPA2

RangerZ wrote:

LEDE has upgraded the relevant packages for the existing 17.01.x releases so one can just OPKG the new version in place. 

This is a much easier and preferred approach for many I suspect.  Just do not have the time to go back and do an entire refresh of my router with all the other packages and config I have done over the last 1-2 years.

Part of the bugfix(es) is a kernel (mac80211) patch, which you can't upgrade via opkg and requires flashing an updated (the 17.01.4 release) firmware image via sysupgrade. While the most important fixes are indeed in the hostapd/ wpa_supplicant/ wpad userspace packages, the kernel fix is still recommended as well.