OpenWrt Forum Archive

Topic: KRACK Attack against WPA2

The content of this topic has been archived between 30 Mar 2018 and 3 May 2018. Unfortunately there are posts – most likely complete pages – missing.

gaglia83 wrote:

As far as I understand, the LEDE brand is anyway going to die, and the codebase merged back to OpenWRT. Did I understand wrong? Not trolling, honest question, just asking smile

You got it to the wrong direction:
LEDE is to be renamed as Openwrt, LEDE codebase survives, useful (rather minor) new commits from the current Openwrt codebase are to be merged into LEDE, and the current Openwrt codebase is then to be retired.

(Just remember that practically all active core devs jumped into LEDE 18 months ago and since then the actual development at Openwrt has been rather minor. Like I said earlier, Openwrt trunk mostly is the April 2016 code plus some security fixes.)

See discussion at openwrt-devel mailing list, e.g. at https://www.mail-archive.com/openwrt-de … 41260.html

So, the current LEDE master (or the 17.01.4 stable release) are much closer to what will be called Openwrt after the merge, than the current Openwrt DD trunk.

The latest OpenWrt build is 2 years old and even if they patch it for KRACK it's still 2 years old.  That said I still use it on my primary router.  To much config and packages for me to spend the time to upgrade, and as I have no wireless, so KRACK does not impact this device, but a package based fix, like LEDE did, would be appreciated.

Upgrading to LEDE gets you a much newer Kernel, other security fixes and hopefully better wifi drivers. 
https://forum.lede-project.org/search?q … %20release
You can read about the different releases and fixes in mo' detail.

If you want to be protected from KRACK now upgrade to 17.01.4

Upgrading to LEDE is easy, but you should NOT retain your config (backup the config and even use WINSCP to download your config files for easy reference).  You also need to reinstall any packages you added. 
HINT: you can screen scrape (drap and copy) Luci System=>Software to get a list of packages and save in file or use opkg list in putty

When they get back together, you can just sysupgrade that version too with the same caveats as above.

My router is: TP-Link TL-WR841N/ND v9
Currently running OpenWRT version: openwrt-15.05.1-ar71xx-generic-tl-wr841n-v9-squashfs-factory.bin

LEDE will not work (properly) on this hardware. LEDE project suggested to stick to CC.
https://forum.lede-project.org/t/tl-wr8 … ce/3471/11
What now? Will there be an security update for CC?

czezz wrote:

Will there be an security update for CC?

Page 2 of this thread...
https://forum.openwrt.org/viewtopic.php … 71#p366871

wigyori wrote:

We've decided that for CC we'll do a bugfix release (CC.1a or CC.2), which will only include the upgraded dropbear, *ssl, dnsmasq, and hostapd binaries. The kernel will remain the same, as upgrading that will require going through a whole RC cycle, which we're not geared up to.

The builds are running, will be available in the next couple days for the targets supported by CC.

And you can naturally build CC branch yourself. The patch has been implemented there already.

Hi Hnyman,
thank you very much for this information. Im looking forward for updated image.

BTW. (thats gonna be little bit off topic)
I would really love to try once build my own CC by eg. patching it.
Is there any guide describing how to do that? And from where to download sources and patch/patches?

BTW2.
I understand that KRACK affected is: hostapd.
Remaining ones: dropbear, *ssl, dnsmasq will be updated by devs/maintainers just by the way, right?

czezz wrote:

I would really love to try once build my own CC by eg. patching it.
Is there any guide describing how to do that? And from where to download sources and patch/patches?

No need to patch anything. The fixes have been implemented to the CC branch two weeks ago:
https://github.com/openwrt/openwrt/commits/chaos_calmer

Just follow the basic "build Openwrt" advice, and after cloning the repo, checkout the chaos_calmer branch

Or just clone chaos_calmer directly:
git clone -b chaos_calmer git://github.com/openwrt/openwrt.git

(Last edited by hnyman on 1 Nov 2017, 17:12)

wigyori wrote:

We've decided that for CC we'll do a bugfix release (CC.1a or CC.2), which will only include the upgraded dropbear, *ssl, dnsmasq, and hostapd binaries. The kernel will remain the same, as upgrading that will require going through a whole RC cycle, which we're not geared up to.

The builds are running, will be available in the next couple days for the targets supported by CC.

Regards,
-w-

I'm a little bit confused about the "couple of days". Are these bugfix releases ready/available? I have a TP-Link TL-WR741ND v4.2 I could play with. Should I flash the trunk release over my actual CC 15.05.1?:
https://downloads.openwrt.org/chaos_cal … pgrade.bin

(trunk release)
https://downloads.openwrt.org/snapshots … pgrade.bin

Thanks in advance.

@hnyman, @wigyori
If these new CC builds are made please include a link to them.

I've pushed wpad-mini binaries for the AR71xx architecture to

hxxps://github.com/kukulo2011/Openwrt_CC_Krack_wpad-mini

md5sum openwrt_krack_update_15.01_AR71XX.tar.gz     bbbc458b8eddd94ecb28ea6140688d59

Be sure your router is of AR71xx architecture, so check the Openwrt Wiki first!

(Last edited by kukulo on 2 Nov 2017, 20:22)

@kukulo, Will these work with any of the 15.05 versions including RC(X)?

(Last edited by RangerZ on 2 Nov 2017, 23:35)

I have tested only 15.05.1 on two devices. The question are the symbols in the dependencies. That is why we cannot use trunk binaries in 15.05.1.

You can test on the 15.0x Chaos Calmer. In worst case you will have to reset your router, which will remove any of the installed packages.

(Last edited by kukulo on 3 Nov 2017, 16:48)

I am looking to apply these to a GL.inet AR150 that appears to have been build on a snapshot version of CC between 15.05 and 15.05.1, specifically r46996 and kernel 3.18.21.  I am reluctant to hose this puppy as it's been pretty well tweaked to connect to my VPN server at home via TAP, which is not supported in the GL.inet VPN tools. 

The symbol dependencies or trunk binaries means nothing to the dumb windows user in the room.  I respect that you can guarantee nothing, but not at all sure what this means.

I would first backup the configuration. In case of need I would also prepare an original ipk wpad-mini package.
Of course this has to happen over wired connection as the wpad binary takes a care of wireless authentication.
In the worst case the entry points between linked binaries of wpad, libc, libnl-tiny and others will not be found and the wpad process will crash, so you will have no wireless. In windows there are similar issues when having compatibility problems between some dll library versions. Over wired connection you can perhaps repair the package. In worst case you revert to your basic configuration by reseting your router.

I'd better flash a sysupgrade to Owrt Chaos Calmer 15.05.1 and then apply the github binaries to update Krack issue.

Note that the wpad binary is not kernel version dependent, but it has its own dependencies: libc, libnl-tiny, hostapd-common, libubus. This is same for 15.05 through 15.05.1

So if if can simplify this for the dumb windows user in the room:
Download the current versions of wpad-mini and hostapd-common
Connect over Ethernet and OPKG INSTALL your 2 files
If I have wireless, drink a beer
If I do not have wireless OPKG INSTALL the 2 original files.
If I have wireless, drink a beer
If I do not have wireless, cry in beer.  Actually not a good idea to waste good beer.

If you are afraid of the update, then I would do a sysupgrade to 15.05.1 and then apply the files or wait for an official repository update.
I updated a tl-wr1043nd and tl-wr841nd devices first with sysupgrade to 15.05.1, then installing the old packages and finally apply the Krack update of wpad-mini. Both routers are working...
I am running now out of beers.

EDIT: I freshly updated a tl-wr940n device with sysupgrade to 15.05.1 and then applied Krack update.
I am drinking a beer on it.

(Last edited by kukulo on 4 Nov 2017, 10:27)

kukulo wrote:

If you are afraid of the update, then I would do a sysupgrade to 15.05.1 and then apply the files or wait for an official repository update.
I updated a tl-wr1043nd and tl-wr841nd devices first with sysupgrade to 15.05.1, then installing the old packages and finally apply the Krack update of wpad-mini. Both routers are working...
I am running now out of beers.

Hi, i'm new here but I use operwrt since almost 10 years, when i re-installed my first Fonera... I'm currently using a Tp-Link TL-WR841nd v8.0 (a well known 4/32 problem affected router) with CC 15.05.1. Just to be sure to have the last version installed, yesterday I made the sysupgrade installation, then I wish I could run out of beer too, but my router has only 192kB left on /overlay after sysupgrade and even before installing other packages that i had installed before the upgrade.

In any case, opkg blame that to install wpad it needs 220kB and do not permit me to install it.  Even with --force-space option it cannot install the package.

Did you do some particular operation to install it?

I installed first the tl-wr841nd with bare sysupgrade and then the wpad-mini package.

What you need is a special firmware because you had a custom firmware before.
I've built a new custom firmware based on the wr841n-build.sh build script and changed the git repository pointing to the 15.05.1 new source (forum.openwrt.org/viewtopic.php?id=54604)
Grab your firmware at: github.com/kukulo2011/Openwrt_CC_Krack_wpad-mini

Tested on my TL-WR841N v8

(Last edited by kukulo on 6 Nov 2017, 21:19)

Hi guys, so I followed your advice and I updated my ArcherC7v2 to the latest LEDE build,:

Firmware Version    LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685)
Kernel Version    4.4.92

I also re-added by hand the old configuration and everything seems to work smoothly. Only thing is, if I look at the list of packages, hostapd and related still seem to be outdated (i.e. pre-KRACK). How do I check if I am still affected, and what to do in case I am?

I added firmwares for custom Openvpn build + wifi Krack update for the TL-WR941 series.

hxxps://github.com/kukulo2011/Openwrt_CC_Krack_TL-WR941

The images still need some testing as now I do not have access to the TL-WR941 router. Volunteers needed.

RangerZ wrote:

So if if can simplify this for the dumb windows user in the room:
Download the current versions of wpad-mini and hostapd-common
Connect over Ethernet and OPKG INSTALL your 2 files
If I have wireless, drink a beer
If I do not have wireless OPKG INSTALL the 2 original files.
If I have wireless, drink a beer
If I do not have wireless, cry in beer.  Actually not a good idea to waste good beer.

So if we're running 15.05.01, we can update these two via opkg and we're good?
Am I understanding this right?

shockedquartz wrote:
RangerZ wrote:

So if if can simplify this for the dumb windows user in the room:
Download the current versions of wpad-mini and hostapd-common
Connect over Ethernet and OPKG INSTALL your 2 files
If I have wireless, drink a beer
If I do not have wireless OPKG INSTALL the 2 original files.
If I have wireless, drink a beer
If I do not have wireless, cry in beer.  Actually not a good idea to waste good beer.

So if we're running 15.05.01, we can update these two via opkg and we're good?
Am I understanding this right?

Yes. Push the files with scp to /tmp (RAM) and update with opkg install wpad-mini_2016-06-15-1_ar71xx.ipk
I tested the package with three routers TL-WR1043ND, TL-WR841ND, TL-WR941N.

gaglia83 wrote:

Only thing is, if I look at the list of packages, hostapd and related still seem to be outdated (i.e. pre-KRACK). How do I check if I am still affected, and what to do in case I am?

Anyone please? smile

gaglia83 wrote:
gaglia83 wrote:

Only thing is, if I look at the list of packages, hostapd and related still seem to be outdated (i.e. pre-KRACK). How do I check if I am still affected, and what to do in case I am?

Anyone please? smile

I would try to issue these commands:

opkg update

opkg upgrade wpad-mini

The second command is to upgrade the wpad-mini package from repository if any newer version found.

Can someone answer this please:  Do the current snapshots contain the KRACK patches?

downloads.openwrt.org  snapshots/trunk/ar71xx/generic/

What I infer from the developers post (embedded below) is that the snapshots are updated - build date 3 November

But I just want this confirmed before I go to the hassle of re-flashing?

This also means that all people have to do is download the latest snapshot image - flash it - and you're done.. all updated. There's very very little difference between the snapshot and 15.05.1, so no one should be worrying about the snapshot being "bleeding edge" and risky, simply because there's been so little development done since 05.1

Look forward to an informed response

wigyori wrote:

We've decided that for CC we'll do a bugfix release (CC.1a or CC.2), which will only include the upgraded dropbear, *ssl, dnsmasq, and hostapd binaries. The kernel will remain the same, as upgrading that will require going through a whole RC cycle, which we're not geared up to.

The builds are running, will be available in the next couple days for the targets supported by CC.

Regards,
-w-

Hi, please let me ask again: am I still affected?

Firmware Version    LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685)
Kernel Version    4.4.92

Thanks in advance smile