Page MenuHomeVyOS Platform
Create Task
Maniphest T426

CVE-2017-13077 - Update wpa_supplicant
Closed, ResolvedPublicBUG
Actions

Description

Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames.

Debian-security for jessie is already patched - we have to double check that we ship patched versions in nightly releases.

Affects: any systems that act like WiFi clients.
Severity: high (MITM attack of unauthorized attacker is possible)

Original investigator's site: https://www.krackattacks.com/
CERT: http://www.kb.cert.org/vuls/id/228519
UPSTREAM patches: https://w1.fi/security/2017-1/
Overview: https://habrahabr.ru/company/pentestit/blog/340182/
Debian security: https://www.debian.org/security/2017/dsa-3999

Details

Difficulty level
Easy (less than an hour)
Version
Any
Why the issue appeared?
Will be filled on close

Event Timeline

mickvav created this task.Oct 17 2017, 5:35 AM
sebastianm awarded a token.Oct 19 2017, 12:03 PM
c-po added a subscriber: c-po.Nov 3 2017, 4:52 PM

Our nightly builds ships wpasupplicant 2.3-1+deb8u4, according to https://www.debian.org/security/2017/dsa-3999 it's fixed in 2.3-1+deb8u5.

This may address another issue I discovered with the livebuild system. During rebuild, it does not automatically install all the latest security updates available like this one. Anyone knows how to add newer revisions of certain packages to live-build?

c-po added a subscriber: UnicronNL.Nov 7 2017, 7:08 AM

@UnicronNL maybe this will fix this issue:

diff --git i/scripts/live-build-config w/scripts/live-build-config
index c1c766f..990cb5c 100755
--- i/scripts/live-build-config
+++ w/scripts/live-build-config
@@ -51,7 +51,8 @@ lb config noauto \
         --mirror-binary {{debian_mirror}} \
         --mirror-binary-security {{debian_security_mirror}} \
         --archive-areas "main contrib non-free" \
-        --firmware-chroot true
+        --firmware-chroot true \
+        --updates true \
         "${@}"

Unfortunately the vyos-build repo is not building anymore so I can't test.

UnicronNL added a comment.Nov 7 2017, 9:05 AM

https://github.com/vyos/vyos-build/commit/e5259ccb17e93e110d1dcdeb98f4dc1b9d1df192
This seems to have done the trick thanks.

build issue now hangs on depend on quagga.

c-po added a subscriber: syncer.Nov 7 2017, 8:52 PM

This did the trick. Just build a fresh ISO:

root@vyos:/home/vyos# dpkg --list | grep wpa
ii  wpasupplicant                     2.3-1+deb8u5                      amd64        client support for WPA and WPA2 (IEEE 802.11i)

@syncer looks like this is resolved now. All debian security updates are now automatically inserted in every new image.

syncer moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.Nov 8 2017, 10:55 AM
syncer removed a project: VyOS 2.0.x.
dmbaturin added a subscriber: dmbaturin.Nov 9 2017, 3:52 PM

@UnicronNL Just to make sure, the package included in helium now is also patched?

dmbaturin added a comment.Nov 10 2017, 1:17 PM

I've done pkg-release in that package to include the latest commits into debian changelog and update the package version (helium4 now).

syncer closed this task as Resolved.Dec 21 2017, 9:25 PM
syncer claimed this task.
syncer moved this task from In Progress to Finished on the VyOS 1.2 Crux board.
syncer removed a project: VyOS 1.1.x.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1), VyOS-1.2.0-GA; removed VyOS 1.2 Crux.Oct 15 2018, 11:52 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.Oct 15 2018, 11:58 PM