[PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Questions about WIFI networks and devices
Forum rules
Before you post please read how to get help
Devnullptr_
Level 1
Level 1
Posts: 2
Joined: Mon Oct 16, 2017 9:30 am

[PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Postby Devnullptr_ » Mon Oct 16, 2017 9:34 am

Hi, I'm not sure if this is the place for this question but can someone on the team for Mint talk about what versions have been patched for KRACK? I know this exploit is new but it seems Debian has already patched some of their versions of wpa_supplicant.

Thank you

waynea
Level 3
Level 3
Posts: 111
Joined: Mon Oct 14, 2013 11:49 am

Re: Wpa2 vulnerability - krack

Postby waynea » Mon Oct 16, 2017 1:13 pm

I have just had an update for this I think

wpa (2.1-0ubuntu1.5) trusty-security; urgency=medium

* SECURITY UPDATE: Multiple issues in WPA protocol
- debian/patches/2017-1/*.patch: Add patches from Debian jessie
- CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087,
CVE-2017-13088
* SECURITY UPDATE: Denial of service issues
- debian/patches/2016-1/*.patch: Add patches from Debian jessie
- CVE-2016-4476
- CVE-2016-4477

User avatar
Moem
Level 11
Level 11
Posts: 3669
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Wpa2 vulnerability - krack

Postby Moem » Mon Oct 16, 2017 1:31 pm

Yes, me too. Thanks to the quickly responding folks upstream!
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

waynea
Level 3
Level 3
Posts: 111
Joined: Mon Oct 14, 2013 11:49 am

Re: Wpa2 vulnerability - krack

Postby waynea » Mon Oct 16, 2017 1:40 pm

Moem wrote:Yes, me too. Thanks to the quickly responding folks upstream!


yes, it's actually really impressive

User avatar
xenopeek
Level 24
Level 24
Posts: 21371
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: [PATCHED] Wpa2 vulnerability - krack

Postby xenopeek » Mon Oct 16, 2017 2:04 pm

>> This issue is already fixed for all Linux Mint versions. <<

If you haven't yet applied all available security upgrades in Update Manager, do so now.

The affected packages are hostapd and wpasupplicant. Both come from the upstream package wpa so Update Manager conveniently shows you these as one upgrade under the name "wpa". But if you want to check your installed package versions, you need those first two package names. Mind that hostapd isn't installed by default so it may not be present on your system.

For Linux Mint 18.x you need version 2.4-0ubuntu6.2 or newer.
For Linux Mint 17.x you need version 2.1-0ubuntu1.5 or newer.
For LMDE 2 you need version 2.3-1+deb8u5 or newer.

Ubuntu security notice for the WPA2 issue is found here: https://usn.ubuntu.com/usn/usn-3455-1/ (Linux Mint 18.x are based on Ubuntu 16.04 LTS and Linux Mint 17.x are based on Ubuntu 14.04 LTS). Debian security announcement for the WPA2 issue is found here: https://lists.debian.org/debian-securit ... 00261.html (LMDE 2 is based on Debian Jessie aka oldstable).

Most if not all major GNU/Linux distros have already fixed the WPA2 issue today. The real issue is with phones and tablets.
Image

Jaydemir
Level 4
Level 4
Posts: 217
Joined: Tue Jun 16, 2015 2:53 pm

Krack WiFi exploit [IS ALREADY PATCHED]

Postby Jaydemir » Mon Oct 16, 2017 4:05 pm

So I came across some articles about how M$ already patched Windows against some WiFi exploit dubbed 'Krack' that nobody else seems to have done yet. Any ideas on how such a thing would be patched in the Linux world? Would it be distro specific? Kernel update? Obviously any articles about security usually get blown up more than they should, and every threat is the next big problem. Its just nice to know if things like this are being addressed.
Last edited by karlchen on Mon Oct 16, 2017 5:08 pm, edited 1 time in total.
Reason: Appended to thread in "Main Edition" - "Wifi": "[PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]"

sarge816
Level 2
Level 2
Posts: 50
Joined: Sun Jun 13, 2010 9:04 pm

Re: Krack WiFi exploit

Postby sarge816 » Mon Oct 16, 2017 4:11 pm

Just today got an update for wpasupplicant, from 6.0 to 6.2. LM18.2 Xfce
https://wiki.archlinux.org/index.php/WPA_supplicant

User avatar
Moem
Level 11
Level 11
Posts: 3669
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Krack WiFi exploit

Postby Moem » Mon Oct 16, 2017 4:16 pm

This thread should answer your questions:
viewtopic.php?f=53&t=255523
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

Devnullptr_
Level 1
Level 1
Posts: 2
Joined: Mon Oct 16, 2017 9:30 am

Re: [PATCHED] Wpa2 vulnerability - krack

Postby Devnullptr_ » Mon Oct 16, 2017 9:21 pm

Thank you. This is exactly what I needed.


xenopeek wrote:>> This issue is already fixed for all Linux Mint versions. <<

If you haven't yet applied all available security upgrades in Update Manager, do so now.

The affected packages are hostapd and wpasupplicant. Both come from the upstream package wpa so Update Manager conveniently shows you these as one upgrade under the name "wpa". But if you want to check your installed package versions, you need those first two package names. Mind that hostapd isn't installed by default so it may not be present on your system.

For Linux Mint 18.x you need version 2.4-0ubuntu6.2 or newer.
For Linux Mint 17.x you need version 2.1-0ubuntu1.5 or newer.
For LMDE 2 you need version 2.3-1+deb8u5 or newer.

Ubuntu security notice for the WPA2 issue is found here: https://usn.ubuntu.com/usn/usn-3455-1/ (Linux Mint 18.x are based on Ubuntu 16.04 LTS and Linux Mint 17.x are based on Ubuntu 14.04 LTS). Debian security announcement for the WPA2 issue is found here: https://lists.debian.org/debian-securit ... 00261.html (LMDE 2 is based on Debian Jessie aka oldstable).

Most if not all major GNU/Linux distros have already fixed the WPA2 issue today. The real issue is with phones and tablets.

jglen490
Level 1
Level 1
Posts: 42
Joined: Sat Jul 15, 2017 9:57 pm

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Postby jglen490 » Mon Oct 16, 2017 9:31 pm

Just patched our router, updated wpasupplicant in Kubuntu, fixing to update Mint shortly. Ready to rock, again.
I feel more like I do than I did when I got here.
Toshiba A135-S2386, Intel T2080, ATI Radeon® Xpress 200M Chipset, 2GB RAM, 500GB

jglen490
Level 1
Level 1
Posts: 42
Joined: Sat Jul 15, 2017 9:57 pm

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Postby jglen490 » Mon Oct 16, 2017 10:14 pm

Pulled out the laptop, updated wpa. Should be good to go.
I feel more like I do than I did when I got here.
Toshiba A135-S2386, Intel T2080, ATI Radeon® Xpress 200M Chipset, 2GB RAM, 500GB

xdicey
Level 4
Level 4
Posts: 466
Joined: Wed Sep 16, 2015 2:42 pm

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Postby xdicey » Tue Oct 17, 2017 9:42 pm

October being cyber security month; irony?
Do routers from ISPs need patching as well?
Rafaela Cinnamon 17.2, V 2.16, 64 bit, Kernel: 4.4.0-45
DELL Inspiron2350
-AIO TouchScreen
-QUAD CORE Intel Core i7-4700MQ CPU (-HT-MCP-) 2.40GHz x4
-12GB RAM, 1 TB SSHD
-Graphics Card: Intel 4th Gen Core Processor Integrated Graphics Controller

User avatar
xenopeek
Level 24
Level 24
Posts: 21371
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Postby xenopeek » Wed Oct 18, 2017 3:43 am

xdicey wrote:Do routers from ISPs need patching as well?

Ideally, yes, but the krackattacks folks had this to say about it:
What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
Image

User avatar
Faust
Level 3
Level 3
Posts: 180
Joined: Thu Jul 14, 2016 3:40 am

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Postby Faust » Wed Oct 18, 2017 4:43 am

No sign of any such updates for Mint 17.3 Cinnamon .
Most likely those affected packages were not installed by default ...
...... anybody else on 17.3 ?

xdicey wrote:......
Do routers from ISPs need patching as well?


It looks like this vulnerability would only be of any practical use to wardrivers , and to me this appears more like a proof-of-concept
than a genuine threat .
The probability that someone is in a vehicle , within wireless range , and actively trying to hack my wifi is tiny .
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .

User avatar
karlchen
Level 17
Level 17
Posts: 7948
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Postby karlchen » Wed Oct 18, 2017 4:52 am

Hi, Faust.

You should have received a wpa labelled update for wpasupplicant on Mint 17.x as well, irrespective of the desktop environment.
xenopeek gave these update version details for Mint 17.x :
For Linux Mint 17.x you need version 2.1-0ubuntu1.5 or newer.

It has arrived on my 2 Mint 17.x systems.
In case you cannot find it in your Update Manager history and in case it is not offered to you really, check
+ which update levels you have enabled in Update Manager. Should be 1, 2 and 3 at minimum (default)
+ whether you have enabled the option to "always trust and accept security updates" (wise idea to do so)

Best regards,
Karl
Image
Old bugs good, new bugs bad! Updates are evil: might fix old bugs and introduce no new ones.

User avatar
Pjotr
Level 18
Level 18
Posts: 8834
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Postby Pjotr » Wed Oct 18, 2017 5:07 am

Faust wrote:The probability that someone is in a vehicle , within wireless range , and actively trying to hack my wifi is tiny .

Image
Tip: 10 things to do after installing Linux Mint 18.2 Sonya
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
Faust
Level 3
Level 3
Posts: 180
Joined: Thu Jul 14, 2016 3:40 am

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Postby Faust » Wed Oct 18, 2017 5:58 am

karlchen wrote: ......
In case you cannot find it in your Update Manager history and in case it is not offered to you really, check
+ which update levels you have enabled in Update Manager. Should be 1, 2 and 3 at minimum (default)
+ whether you have enabled the option to "always trust and accept security updates" (wise idea to do so)
.....


Yes , those are exactly my chosen settings and always have been ( levels 1 to 3 , " always trust " etc ) .

I unchecked then re-checked those boxes , did a refresh , and Bingo ! .... there is the update .
Very strange ....

Many thanks for pointing the way ....
.... now I don't have to keep looking out of the window , watching for that character posted by @Pjotr ^^
:D
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .


Return to “Wireless”

Who is online

Users browsing this forum: No registered users and 2 guests