stable

wpa_supplicant-2.6-11.fc26

FEDORA-2017-60bfb576b7 created by lkundrak 5 years ago for Fedora 26

Fix the for the Key Reinstallation Attacks

hostapd: Avoid key reinstallation in FT handshake (CVE-2017-13082)
Fix PTK rekeying to generate a new ANonce
Prevent reinstallation of an already in-use group key and extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases (CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088)
Prevent installation of an all-zero TK
TDLS: Reject TPK-TK reconfiguration
WNM: Ignore WNM-Sleep Mode Response without pending request
FT: Do not allow multiple Reassociation Response frames

Upstream advisory: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Details and the paper: https://www.krackattacks.com/

Reboot Required

After installing this update it is required that you reboot your system to ensure the changes supplied by this update are applied properly.

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2017-60bfb576b7

This update has been submitted for testing by lkundrak.

5 years ago

lkundrak edited this update.

5 years ago

xenithorb commented & provided feedback 5 years ago

karma

Looks good, works as expected. Can't test mitigation yet because no scripts have been released.

BZ#1502589 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 wpa_supplicant: various flaws [fedora-all]

stbenjam provided feedback 5 years ago

karma

leigh123linux commented & provided feedback 5 years ago

karma

WFM

This update has been submitted for batched by bodhi.

5 years ago

mchapman provided feedback 5 years ago

karma

fdelapena provided feedback 5 years ago

karma

This update has been submitted for stable by lkundrak.

5 years ago

mtlflow provided feedback 5 years ago

karma

BZ#1502589 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 wpa_supplicant: various flaws [fedora-all]

anonymous commented & provided feedback 5 years ago

karma: +1

This update has been pushed to stable.

5 years ago

vedranm commented & provided feedback 5 years ago

karma

Works with a LEDE-powered router.

sebastiencs provided feedback 5 years ago

karma

goodmirek commented & provided feedback 5 years ago

karma

WFM, thanks!

rathann commented & provided feedback 5 years ago

karma

Works for me.

anonymous commented & provided feedback 5 years ago

WFM

karma: +1

BZ#1502589 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 wpa_supplicant: various flaws [fedora-all]

BZ#1500304 CVE-2017-13088 wpa_supplicant: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

BZ#1500303 CVE-2017-13087 wpa_supplicant: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

BZ#1491698 CVE-2017-13082 wpa_supplicant: Accepting a retransmitted FT Reassociation Request and reinstalling the pairwise key while processing it

BZ#1491697 CVE-2017-13081 wpa_supplicant: Reinstallation of the integrity group key in the group key handshake

BZ#1491696 CVE-2017-13080 wpa_supplicant: Reinstallation of the group key in the group key handshake

BZ#1491694 CVE-2017-13079 wpa_supplicant: Reinstallation of the integrity group key in the 4-way handshake

BZ#1491693 CVE-2017-13078 wpa_supplicant: Reinstallation of the group key in the 4-way handshake

BZ#1491692 CVE-2017-13077 wpa_supplicant: Reinstallation of the pairwise key in the 4-way handshake

augenauf commented & provided feedback 5 years ago

karma

works, though I couldn't test attack mitigation.

robbinespu commented & provided feedback 5 years ago

karma

LGTM

BZ#1502589 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 wpa_supplicant: various flaws [fedora-all]

BZ#1500304 CVE-2017-13088 wpa_supplicant: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

BZ#1500303 CVE-2017-13087 wpa_supplicant: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

BZ#1491698 CVE-2017-13082 wpa_supplicant: Accepting a retransmitted FT Reassociation Request and reinstalling the pairwise key while processing it

BZ#1491697 CVE-2017-13081 wpa_supplicant: Reinstallation of the integrity group key in the group key handshake

BZ#1491696 CVE-2017-13080 wpa_supplicant: Reinstallation of the group key in the group key handshake

Please login to add feedback.

Metadata

Type

security

Severity

high

Karma

Signed

Content Type

RPM

Test Gating

None

Builds

wpa_supplicant-2.6-11.fc26

Settings

Unstable by Karma

-3

Stable by Karma

Stable by Time

disabled

Dates

submitted

5 years ago

in stable

5 years ago

modified