KRACK wifi wpa2 vulnerability

Please report any bug found here

KRACK wifi wpa2 vulnerability

Postby waves » 23 Oct 2017, 11:44

A wifi security vulnerability has been widely reported.
https://www.krackattacks.com/
All home routers, laptops, smartphones and other devices that use wpa2 (the current standard solution) for wifi are affected. I assume any Raspberry Pi with RuneOS is also vulnerable.

Question: Is there some patch available for ArchLinux and/or Raspberry firmware patch that can also be applied to RuneOS device without breaking RuneAudio? Any other steps to mitigate the problem?

The more general worry is that it is hard for end users to do security updates for a device with RuneAudio since it is hard to know which parts of Arch will break Rune functionality if updated. I hope the version of RuneAudio in progress will some vanilla Linux distribution like Raspbian as a basis so that users can easily install security updates as they become available.
waves
 
Posts: 123
Joined: 31 Dec 2014, 10:33

Re: KRACK wifi wpa2 vulnerability

Postby waves » 24 Oct 2017, 08:57

According to https://github.com/kristate/krackinfo#v ... e-complete there are patches available for Arch Linux as of 2017-10-16

The two packages mentioned are
https://www.archlinux.org/packages/?name=hostapd
https://www.archlinux.org/packages/?name=wpa_supplicant

Has anyone tried updating those packages on a Raspberry device with RuneOS?
Is there some way to verify if updating those packages fixes the problem in RuneOS or are further patches needed?

Volumio (which has similar functionality to RuneAudio) has fixed the bug already, https://volumio.org/forum/bugs-wpa2-protocol-t7810.html
waves
 
Posts: 123
Joined: 31 Dec 2014, 10:33

Re: KRACK wifi wpa2 vulnerability

Postby waves » 25 Oct 2017, 14:47

Code: Select all
sudo pacman -Q wpa_supplicant

returns "wpa_supplicant 1:2.5-3"

Code: Select all
sudo pacman -Q hostapd

returns nothing

Code: Select all
sudo pacman -Sy
sudo pacman -Ss wpa_supplicant

returns
Code: Select all
core/wpa_actiond 1.4-2 [installed]
    Daemon that connects to wpa_supplicant and handles connect and disconnect
    events
core/wpa_supplicant 1:2.6-11 [installed: 1:2.5-3]
    A utility providing key negotiation for WPA wireless networks


I then tried
Code: Select all
sudo pacman -S wpa_supplicant

but the update failed due to conflicts

Code: Select all
resolving dependencies...
looking for conflicting packages...

Packages (2) openssl-1.0-1.0.2.l-1  wpa_supplicant-1:2.6-11

Total Download Size:   1.83 MiB
Total Installed Size:  8.12 MiB
Net Upgrade Size:      6.50 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages...
 openssl-1.0-1.0.2.l...  1150.3 KiB  1250K/s 00:01 [######################] 100%
 wpa_supplicant-1:2....   726.9 KiB  1817K/s 00:00 [######################] 100%
(2/2) checking keys in keyring                     [######################] 100%
(2/2) checking package integrity                   [######################] 100%
(2/2) loading package files                        [######################] 100%
(2/2) checking for file conflicts                  [######################] 100%
error: failed to commit transaction (conflicting files)
openssl-1.0: /usr/lib/libcrypto.so.1.0.0 exists in filesystem
openssl-1.0: /usr/lib/libssl.so.1.0.0 exists in filesystem
Errors occurred, no packages were upgraded.


Please RuneAudio devs, provide details on this issue and on how to patch the vulnerability.
waves
 
Posts: 123
Joined: 31 Dec 2014, 10:33

Re: KRACK wifi wpa2 vulnerability

Postby hondagx35 » 25 Oct 2017, 17:25

Hi,

for all who use my latest test image from here:
http://www.runeaudio.com/forum/runeaudio-0-4-beta-for-raspberry-pi2-3-t4434.html
it is easy to update.

Code: Select all
 pacman -Sy openssl pacman wpa_supplicant hostapd


Frank
User avatar
hondagx35
 
Posts: 3016
Joined: 11 Sep 2014, 22:06
Location: Germany

Re: KRACK wifi wpa2 vulnerability

Postby waves » 25 Oct 2017, 19:09

Hi Frank and thanks for the reply.

I'm at version "0.4 (build: beta-20160313)".

I ran your command
Code: Select all
pacman -Sy openssl pacman wpa_supplicant hostapd

on my version and it installed/upgraded the packages without error.

But since earlier (see previous post) the command "sudo pacman -Q hostapd" returned nothing I assume hostapd was/is not really used by the earlier 0.4 version I'm running.

So I'm uncertain if the install/upgrade command you give is enough to fix the issue in the version of RuneAudio I and no doubt some others have.

Do you know if there is some other package for that older version that must also be updated? Some package that does whatever hostapd does in your version?
waves
 
Posts: 123
Joined: 31 Dec 2014, 10:33

Re: KRACK wifi wpa2 vulnerability

Postby hondagx35 » 25 Oct 2017, 20:15

Hi waves,

it installed/upgraded the packages without error.

Thank you for the report.

Do you know if there is some other package for that older version that must also be updated? Some package that does whatever hostapd does in your version?

"hostapd" is only used/installed on my latest version and is only needed for the access point feature.


Frank
User avatar
hondagx35
 
Posts: 3016
Joined: 11 Sep 2014, 22:06
Location: Germany

Re: KRACK wifi wpa2 vulnerability

Postby waves » 25 Oct 2017, 21:53

Ok, thanks. So for anyone else reading this still on version "0.4 (build: beta-20160313)" the command to use to patch this problem is

Code: Select all
pacman -Sy openssl pacman wpa_supplicant
waves
 
Posts: 123
Joined: 31 Dec 2014, 10:33

support RuneAudio Donate with PayPal


Return to Bug report

Who is online

Users browsing this forum: No registered users and 1 guest