Page 1 of 1

[PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Posted: Mon Oct 16, 2017 9:34 am
by Devnullptr_
Hi, I'm not sure if this is the place for this question but can someone on the team for Mint talk about what versions have been patched for KRACK? I know this exploit is new but it seems Debian has already patched some of their versions of wpa_supplicant.

Thank you

Re: Wpa2 vulnerability - krack

Posted: Mon Oct 16, 2017 1:13 pm
by waynea
I have just had an update for this I think

wpa (2.1-0ubuntu1.5) trusty-security; urgency=medium

* SECURITY UPDATE: Multiple issues in WPA protocol
- debian/patches/2017-1/*.patch: Add patches from Debian jessie
- CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087,
CVE-2017-13088
* SECURITY UPDATE: Denial of service issues
- debian/patches/2016-1/*.patch: Add patches from Debian jessie
- CVE-2016-4476
- CVE-2016-4477

Re: Wpa2 vulnerability - krack

Posted: Mon Oct 16, 2017 1:31 pm
by Moem
Yes, me too. Thanks to the quickly responding folks upstream!

Re: Wpa2 vulnerability - krack

Posted: Mon Oct 16, 2017 1:40 pm
by waynea
Moem wrote:Yes, me too. Thanks to the quickly responding folks upstream!


yes, it's actually really impressive

Re: [PATCHED] Wpa2 vulnerability - krack

Posted: Mon Oct 16, 2017 2:04 pm
by xenopeek
>> This issue is already fixed for all Linux Mint versions. <<

If you haven't yet applied all available security upgrades in Update Manager, do so now.

The affected packages are hostapd and wpasupplicant. Both come from the upstream package wpa so Update Manager conveniently shows you these as one upgrade under the name "wpa". But if you want to check your installed package versions, you need those first two package names. Mind that hostapd isn't installed by default so it may not be present on your system.

For Linux Mint 18.x you need version 2.4-0ubuntu6.2 or newer.
For Linux Mint 17.x you need version 2.1-0ubuntu1.5 or newer.
For LMDE 2 you need version 2.3-1+deb8u5 or newer.

Ubuntu security notice for the WPA2 issue is found here: https://usn.ubuntu.com/usn/usn-3455-1/ (Linux Mint 18.x are based on Ubuntu 16.04 LTS and Linux Mint 17.x are based on Ubuntu 14.04 LTS). Debian security announcement for the WPA2 issue is found here: https://lists.debian.org/debian-securit ... 00261.html (LMDE 2 is based on Debian Jessie aka oldstable).

Most if not all major GNU/Linux distros have already fixed the WPA2 issue today. The real issue is with phones and tablets.

Krack WiFi exploit [IS ALREADY PATCHED]

Posted: Mon Oct 16, 2017 4:05 pm
by Jaydemir
So I came across some articles about how M$ already patched Windows against some WiFi exploit dubbed 'Krack' that nobody else seems to have done yet. Any ideas on how such a thing would be patched in the Linux world? Would it be distro specific? Kernel update? Obviously any articles about security usually get blown up more than they should, and every threat is the next big problem. Its just nice to know if things like this are being addressed.

Re: Krack WiFi exploit

Posted: Mon Oct 16, 2017 4:11 pm
by sarge816
Just today got an update for wpasupplicant, from 6.0 to 6.2. LM18.2 Xfce
https://wiki.archlinux.org/index.php/WPA_supplicant

Re: Krack WiFi exploit

Posted: Mon Oct 16, 2017 4:16 pm
by Moem
This thread should answer your questions:
viewtopic.php?f=53&t=255523

Re: [PATCHED] Wpa2 vulnerability - krack

Posted: Mon Oct 16, 2017 9:21 pm
by Devnullptr_
Thank you. This is exactly what I needed.


xenopeek wrote:>> This issue is already fixed for all Linux Mint versions. <<

If you haven't yet applied all available security upgrades in Update Manager, do so now.

The affected packages are hostapd and wpasupplicant. Both come from the upstream package wpa so Update Manager conveniently shows you these as one upgrade under the name "wpa". But if you want to check your installed package versions, you need those first two package names. Mind that hostapd isn't installed by default so it may not be present on your system.

For Linux Mint 18.x you need version 2.4-0ubuntu6.2 or newer.
For Linux Mint 17.x you need version 2.1-0ubuntu1.5 or newer.
For LMDE 2 you need version 2.3-1+deb8u5 or newer.

Ubuntu security notice for the WPA2 issue is found here: https://usn.ubuntu.com/usn/usn-3455-1/ (Linux Mint 18.x are based on Ubuntu 16.04 LTS and Linux Mint 17.x are based on Ubuntu 14.04 LTS). Debian security announcement for the WPA2 issue is found here: https://lists.debian.org/debian-securit ... 00261.html (LMDE 2 is based on Debian Jessie aka oldstable).

Most if not all major GNU/Linux distros have already fixed the WPA2 issue today. The real issue is with phones and tablets.

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Posted: Mon Oct 16, 2017 9:31 pm
by jglen490
Just patched our router, updated wpasupplicant in Kubuntu, fixing to update Mint shortly. Ready to rock, again.

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Posted: Mon Oct 16, 2017 10:14 pm
by jglen490
Pulled out the laptop, updated wpa. Should be good to go.

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Posted: Tue Oct 17, 2017 9:42 pm
by xdicey
October being cyber security month; irony?
Do routers from ISPs need patching as well?

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Posted: Wed Oct 18, 2017 3:43 am
by xenopeek
xdicey wrote:Do routers from ISPs need patching as well?

Ideally, yes, but the krackattacks folks had this to say about it:
What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Posted: Wed Oct 18, 2017 4:43 am
by Faust
No sign of any such updates for Mint 17.3 Cinnamon .
Most likely those affected packages were not installed by default ...
...... anybody else on 17.3 ?

xdicey wrote:......
Do routers from ISPs need patching as well?


It looks like this vulnerability would only be of any practical use to wardrivers , and to me this appears more like a proof-of-concept
than a genuine threat .
The probability that someone is in a vehicle , within wireless range , and actively trying to hack my wifi is tiny .

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Posted: Wed Oct 18, 2017 4:52 am
by karlchen
Hi, Faust.

You should have received a wpa labelled update for wpasupplicant on Mint 17.x as well, irrespective of the desktop environment.
xenopeek gave these update version details for Mint 17.x :
For Linux Mint 17.x you need version 2.1-0ubuntu1.5 or newer.

It has arrived on my 2 Mint 17.x systems.
In case you cannot find it in your Update Manager history and in case it is not offered to you really, check
+ which update levels you have enabled in Update Manager. Should be 1, 2 and 3 at minimum (default)
+ whether you have enabled the option to "always trust and accept security updates" (wise idea to do so)

Best regards,
Karl

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Posted: Wed Oct 18, 2017 5:07 am
by Pjotr
Faust wrote:The probability that someone is in a vehicle , within wireless range , and actively trying to hack my wifi is tiny .

Image

Re: [PATCHED] Wpa2 vulnerability - krack [issue is fixed on all Mint versions]

Posted: Wed Oct 18, 2017 5:58 am
by Faust
karlchen wrote: ......
In case you cannot find it in your Update Manager history and in case it is not offered to you really, check
+ which update levels you have enabled in Update Manager. Should be 1, 2 and 3 at minimum (default)
+ whether you have enabled the option to "always trust and accept security updates" (wise idea to do so)
.....


Yes , those are exactly my chosen settings and always have been ( levels 1 to 3 , " always trust " etc ) .

I unchecked then re-checked those boxes , did a refresh , and Bingo ! .... there is the update .
Very strange ....

Many thanks for pointing the way ....
.... now I don't have to keep looking out of the window , watching for that character posted by @Pjotr ^^
:D