Netgate SG-1000 microFirewall

Author Topic: Very serious security problems with WPA2  (Read 1334 times)

0 Members and 1 Guest are viewing this topic.

Offline pakman

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Very serious security problems with WPA2
« on: October 16, 2017, 06:18:00 am »
News is breaking about a serious protocol-level security flaw in WPA2. Is it known yet what steps pfSense are taking, and a likely timeframe for the availability of a patch?

For details, see https://www.krackattacks.com/

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 609
  • Karma: +135/-125
    • View Profile
    • Netgate
Re: Very serious security problems with WPA2
« Reply #1 on: October 16, 2017, 07:23:10 am »
We learned about the issue last night. We're looking into it.
Need help fast? Commercial support: https://www.netgate.com/support/

Online kpa

  • Hero Member
  • *****
  • Posts: 1186
  • Karma: +131/-6
    • View Profile
Re: Very serious security problems with WPA2
« Reply #2 on: October 16, 2017, 07:28:16 am »
PfSense is not going to implement their own patch for the vulnerabilities that I'm certain of, this belongs to the FreeBSD upstream. If it's not a case that the WPA2 encryption standard is seriously flawed and the vulnerabilities can be worked around without breaking compatibility you could expect a fix in couple of days

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 344
  • Karma: +101/-31
    • View Profile

Offline bfeitell

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +8/-0
  • I like pfSense. It mostly rocks.
    • View Profile
Re: Very serious security problems with WPA2
« Reply #4 on: October 17, 2017, 02:59:10 am »
**EDIT** This pre-patch mitigation only applies to those using 802.1x RADIUS.

I am not certain of this but I believe that PFSense's "Authentication Roaming Preauth" is the "Fast BSS Transition from IEEE 802.11r" a/k/a "FT", or "fast roaming" discussed in the hostapd vulnerability patch notes.  This should be shut off to prevent one of the exploits of hostapd according to the stop-gap mitigations discussed in the hostapd patch notes for KRACK.

https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

From the "possible mitigation steps" section:
"- For AP/hostapd and FT replay issue (CVE-2017-13082), it is possible to prevent the issue temporarily by disabling FT in runtime configuration, if needed before being able to update the implementations."


« Last Edit: October 17, 2017, 10:27:45 am by bfeitell »

Offline mxcprod

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Very serious security problems with WPA2
« Reply #5 on: October 17, 2017, 08:55:44 am »
If OpenBSD was aware of the problem since mid-july and have already deployed a patch, then why FreeBSD were only aware of the problem only a couple of days ago?

Ubiquiti is already up to date against this flaw. That's sad for pfSense.

Online kpa

  • Hero Member
  • *****
  • Posts: 1186
  • Karma: +131/-6
    • View Profile
Re: Very serious security problems with WPA2
« Reply #6 on: October 17, 2017, 09:10:40 am »
OpenBSD is known for holding grudges against FreeBSD that they consider a less secure and a less professionally developed BSD variant and they don't feel they have to notify FreeBSD devs about security issues they are aware of and that might affect FreeBSD as well. Sad but true.
« Last Edit: October 17, 2017, 09:16:09 am by kpa »

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 609
  • Karma: +135/-125
    • View Profile
    • Netgate
Re: Very serious security problems with WPA2
« Reply #7 on: October 17, 2017, 09:16:59 am »
If OpenBSD was aware of the problem since mid-july and have already deployed a patch, then why FreeBSD were only aware of the problem only a couple of days ago?

Ubiquiti is already up to date against this flaw. That's sad for pfSense.

Why is it sad for pfSense? The latest snapshots already have the fix.
Need help fast? Commercial support: https://www.netgate.com/support/

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 344
  • Karma: +101/-31
    • View Profile
Re: Very serious security problems with WPA2
« Reply #8 on: October 17, 2017, 09:21:58 am »
If OpenBSD was aware of the problem since mid-july and have already deployed a patch, then why FreeBSD were only aware of the problem only a couple of days ago?

Ubiquiti is already up to date against this flaw. That's sad for pfSense.

Because OpenBSD had a specific attack shown to them, so they broke the embargo, and as a direct result, that researcher will no longer give them long leadtimes.  Further, the researcher showed where OpenBSD is still vulnerable.

Snapshots for 2.4.1 and 2.3.5 with fixes for this problem and other are already published.

Nor would I call Ubiquiti “up to date”.  While they published firmware for UniFi and SG- series, they build a lot of other gear (e.g. cameras) that have not been updated.

Finally, what is “sad” here is your desperate cry for attention from a new account.  Stop, or the ban hammer drops.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4948
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: Very serious security problems with WPA2
« Reply #9 on: October 17, 2017, 09:24:08 am »
The vast majority of people are not going to update from snapshots for machines in use, unless they are lunatics. 
However, I'd bet a regular update gets pushed soon for everyone.

Still, I'm betting 90%+ of the hardware out there doesn't get updated.  The vast majority of the APs, routers, phones etc etc currently being used just got obsoleted.

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 344
  • Karma: +101/-31
    • View Profile
Re: Very serious security problems with WPA2
« Reply #10 on: October 17, 2017, 09:28:08 am »
The vast majority of people are not going to update from snapshots for machines in use, unless they are lunatics.

Nor are the vast majority of pfSense users using WiFi.

I anticipate both 2.4.1 and 2.3.5 being released next week. (Ask me how I know.)

« Last Edit: October 17, 2017, 09:31:45 am by jwt »

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4948
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: Very serious security problems with WPA2
« Reply #11 on: October 17, 2017, 09:32:18 am »
Correct.  This has zero effect on my pfsense.

Just every other piece of equipment I have that uses wifi.  I don't see this as a pfsense emergency for most people.   

However events like this is why I keep my modems, routers, switches and APs as separate pieces and not integrated. 

Replacing my AP will be simple.  I can't be sure my phone will get an update though.  I'd bet most won't other than relatively new models.

OK - I'll bite...   How does a pfsense admin know what might be coming soon?  (rhetorical question)

https://redmine.pfsense.org/issues/7951
« Last Edit: October 17, 2017, 10:01:36 am by kejianshi »

Offline mxcprod

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Very serious security problems with WPA2
« Reply #12 on: October 17, 2017, 09:44:03 am »
I didn't meant to have attention. I tried to update my router yesterday and the latest version I could get is the 2.4.0, so I concluded that I couldn't have the fix because the link you (jwt) wrote below target the version 2.4.1.
I thought pfSense were late on the release, that's it. Sorry for the misinterpretation.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4948
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: Very serious security problems with WPA2
« Reply #13 on: October 17, 2017, 09:55:44 am »
I'm usually pushing all my traffic through a VPN to my remote pfsense.  So, my phone WPA2 isn't patched and I'd bet it wont be patched for a while but the always on VPN will limit the damage anyone could do with a hack.  You just need to treat every connection, even your own at home, like an insecure coffee shop connection til everything is either patched or replaced.

Pfsense is the least of your problems.  It for sure has a patch on the way. 

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14415
  • Karma: +1335/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Very serious security problems with WPA2
« Reply #14 on: October 17, 2017, 11:02:47 am »
For the unifi stuff the "fix" they released was in the 3.9.3 beta code.. I am not aware of any updates to any of their stable firmware as of yet.  And I monitor their release channels.  Possible I missed it.. But last I saw when someone asked for the 3.8 line was they stated it would be released in upcoming days.

To be honest fixes for AP and such is for when they are used a wifi client, ie wireless uplink..  That is my understanding of the problem.. Am I wrong in that assumption? So this fix is not really doing much for the bigger issue.  The bigger issue is the client side..  And iot devices prob be the big issue.. Good luck getting updates to those china camera's you got for 5$ on ebay ;) hehehe

What is the user base for pfsense as a wifi client?

This also another example of why you use different networks for your different device types.. Your iot devices should be on their own vlan via wifi.. Then all your other devices.  Your laptop and such should be patched really quickly.. But those iot devices going to be farther behind..  But since your device traffic isn't on the same network as those that might get exploited as such..  Then its not as big a deal, etc.

Curious how far nests update is out?  Or harmony hub, tp-link smart lightbulbs and elec switches, etc.

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)