KRACK wifi wpa2 vulnerability

[waves]

A wifi security vulnerability has been widely reported.
https://www.krackattacks.com/
All home routers, laptops, smartphones and other devices that use wpa2 (the current standard solution) for wifi are affected. I assume any Raspberry Pi with RuneOS is also vulnerable.

Question: Is there some patch available for ArchLinux and/or Raspberry firmware patch that can also be applied to RuneOS device without breaking RuneAudio? Any other steps to mitigate the problem?

The more general worry is that it is hard for end users to do security updates for a device with RuneAudio since it is hard to know which parts of Arch will break Rune functionality if updated. I hope the version of RuneAudio in progress will some vanilla Linux distribution like Raspbian as a basis so that users can easily install security updates as they become available.

[waves]

According to https://github.com/kristate/krackinfo#v ... e-complete there are patches available for Arch Linux as of 2017-10-16

The two packages mentioned are
https://www.archlinux.org/packages/?name=hostapd
https://www.archlinux.org/packages/?name=wpa_supplicant

Has anyone tried updating those packages on a Raspberry device with RuneOS?
Is there some way to verify if updating those packages fixes the problem in RuneOS or are further patches needed?

Volumio (which has similar functionality to RuneAudio) has fixed the bug already, https://volumio.org/forum/bugs-wpa2-protocol-t7810.html

[waves]

Code: Select all

sudo pacman -Q wpa_supplicant

returns "wpa_supplicant 1:2.5-3"

Code: Select all

sudo pacman -Q hostapd

returns nothing

Code: Select all

sudo pacman -Sy
sudo pacman -Ss wpa_supplicant

returns

Code: Select all

core/wpa_actiond 1.4-2 [installed]
    Daemon that connects to wpa_supplicant and handles connect and disconnect
    events
core/wpa_supplicant 1:2.6-11 [installed: 1:2.5-3]
    A utility providing key negotiation for WPA wireless networks

I then tried

Code: Select all

sudo pacman -S wpa_supplicant

but the update failed due to conflicts

Code: Select all

resolving dependencies...
looking for conflicting packages...

Packages (2) openssl-1.0-1.0.2.l-1  wpa_supplicant-1:2.6-11

Total Download Size:   1.83 MiB
Total Installed Size:  8.12 MiB
Net Upgrade Size:      6.50 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages...
 openssl-1.0-1.0.2.l...  1150.3 KiB  1250K/s 00:01 [######################] 100%
 wpa_supplicant-1:2....   726.9 KiB  1817K/s 00:00 [######################] 100%
(2/2) checking keys in keyring                     [######################] 100%
(2/2) checking package integrity                   [######################] 100%
(2/2) loading package files                        [######################] 100%
(2/2) checking for file conflicts                  [######################] 100%
error: failed to commit transaction (conflicting files)
openssl-1.0: /usr/lib/libcrypto.so.1.0.0 exists in filesystem
openssl-1.0: /usr/lib/libssl.so.1.0.0 exists in filesystem
Errors occurred, no packages were upgraded.

Please RuneAudio devs, provide details on this issue and on how to patch the vulnerability.

[hondagx35]

Hi,

for all who use my latest test image from here:
http://www.runeaudio.com/forum/runeaudio-0-4-beta-for-raspberry-pi2-3-t4434.html
it is easy to update.

Code: Select all

 pacman -Sy openssl pacman wpa_supplicant hostapd

Frank

[waves]

Hi Frank and thanks for the reply.

I'm at version "0.4 (build: beta-20160313)".

I ran your command

Code: Select all

pacman -Sy openssl pacman wpa_supplicant hostapd

on my version and it installed/upgraded the packages without error.

But since earlier (see previous post) the command "sudo pacman -Q hostapd" returned nothing I assume hostapd was/is not really used by the earlier 0.4 version I'm running.

So I'm uncertain if the install/upgrade command you give is enough to fix the issue in the version of RuneAudio I and no doubt some others have.

Do you know if there is some other package for that older version that must also be updated? Some package that does whatever hostapd does in your version?

[hondagx35]

Hi waves,

it installed/upgraded the packages without error.

Thank you for the report.

Do you know if there is some other package for that older version that must also be updated? Some package that does whatever hostapd does in your version?

"hostapd" is only used/installed on my latest version and is only needed for the access point feature.


Frank

[waves]

Ok, thanks. So for anyone else reading this still on version "0.4 (build: beta-20160313)" the command to use to patch this problem is

Code: Select all

pacman -Sy openssl pacman wpa_supplicant