Nothing so simple, unfortunately.  This class of vulnerability is actually a collection of 10 CVEs, which encompass both the AP side and client side.  If you've patched the AP side, for example, the attacker may still be able to compromise the set of session keys on the client side, and decrypt all of the client sent traffic.


You've got to patch both sides to be fully secure.


"""

The direction in which packets can be decrypted (and possibly forged) depends on the handshake being attacked. Simplified, when attacking the 4-way handshake, we can decrypt (and forge) packets sent by the client. When attacking the Fast BSS Transition (FT) handshake, we can decrypt (and forge) packets sent towards the client. Finally, most of our attacks also allow the replay of unicast, broadcast, and multicast frames. For further details, see Section 6 of our research paper.

"""


Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - HL Mencken


From: wlug-bounces@mail.wlug.org <wlug-bounces@mail.wlug.org> on behalf of Theo Van Dinter <felicity@kluge.net>
Sent: Monday, October 16, 2017 3:30 PM
To: Worcester Linux Users Group
Subject: Re: [Wlug] Major WPA2 Vulnerability
 
fwiw, my understanding is that the vulnerability is on the client side. therefore, I'm not sure what patches would get applied to an access point, though presumably if you use bridging (and maybe extension?) functionality then maybe there's an issue there.

iow, I think patching access points isn't necessary or at least is a low priority if you're not using a feature that turns the device into a client.


"""

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

"""

On Mon, Oct 16, 2017 at 3:21 PM, Michael C Voorhis <mvoorhis@cs.wpi.edu> wrote:
Chuck Anderson writes:
> Because none of Fedora's updates aren't actually released yet.  They
> are built and undergoing pushing/testing now, but being a public
> distro, anyone can get them if they know where to look:

Ubuntu released a bunch of WPA-related patches a little after noontime
today, it appears.

John Stoffel:
> I'm using DD-WRT on my APs at home, but god do the web pages and
> forums suck for actually figuring out what version to run and
> whether it's patched or not.  Sigh...

Ditto for OpenWRT, it appears the project is still alive, but you'd
never know, looking at their website.  I may switch to LEDE, which
confusingly appears to be a fork of OpenWRT which is trying to merge
back with OpenWRT....?

--MCV.
_______________________________________________
Wlug mailing list
Wlug@mail.wlug.org
http://mail.wlug.org/mailman/listinfo/wlug