CVE-2017-13077 - Update wpa_supplicant
Closed, ResolvedPublicBUG

Description

Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames.

Debian-security for jessie is already patched - we have to double check that we ship patched versions in nightly releases.

Affects: any systems that act like WiFi clients.
Severity: high (MITM attack of unauthorized attacker is possible)

Original investigator's site: https://www.krackattacks.com/
CERT: http://www.kb.cert.org/vuls/id/228519
UPSTREAM patches: https://w1.fi/security/2017-1/
Overview: https://habrahabr.ru/company/pentestit/blog/340182/
Debian security: https://www.debian.org/security/2017/dsa-3999

Details

Difficulty level
Easy (less than an hour)
Version
Any
Why the issue appeared?
Will be filled on close
mickvav created this task.Oct 17 2017, 5:35 AM
c-po added a subscriber: c-po.Nov 3 2017, 4:52 PM

Our nightly builds ships wpasupplicant 2.3-1+deb8u4, according to https://www.debian.org/security/2017/dsa-3999 it's fixed in 2.3-1+deb8u5.

This may address another issue I discovered with the livebuild system. During rebuild, it does not automatically install all the latest security updates available like this one. Anyone knows how to add newer revisions of certain packages to live-build?

c-po added a subscriber: UnicronNL.Nov 7 2017, 7:08 AM

@UnicronNL maybe this will fix this issue:

diff --git i/scripts/live-build-config w/scripts/live-build-config
index c1c766f..990cb5c 100755
--- i/scripts/live-build-config
+++ w/scripts/live-build-config
@@ -51,7 +51,8 @@ lb config noauto \
         --mirror-binary {{debian_mirror}} \
         --mirror-binary-security {{debian_security_mirror}} \
         --archive-areas "main contrib non-free" \
-        --firmware-chroot true
+        --firmware-chroot true \
+        --updates true \
         "${@}"

Unfortunately the vyos-build repo is not building anymore so I can't test.

https://github.com/vyos/vyos-build/commit/e5259ccb17e93e110d1dcdeb98f4dc1b9d1df192
This seems to have done the trick thanks.

build issue now hangs on depend on quagga.

c-po added a subscriber: syncer.Nov 7 2017, 8:52 PM

This did the trick. Just build a fresh ISO:

root@vyos:/home/vyos# dpkg --list | grep wpa
ii  wpasupplicant                     2.3-1+deb8u5                      amd64        client support for WPA and WPA2 (IEEE 802.11i)

@syncer looks like this is resolved now. All debian security updates are now automatically inserted in every new image.

syncer moved this task from Need Triage to In Progress on the VyOS 1.2.x board.Nov 8 2017, 10:55 AM
syncer removed a project: VyOS 2.0.x.

@UnicronNL Just to make sure, the package included in helium now is also patched?

I've done pkg-release in that package to include the latest commits into debian changelog and update the package version (helium4 now).

syncer closed this task as Resolved.Dec 21 2017, 9:25 PM
syncer claimed this task.
syncer moved this task from In Progress to Finished on the VyOS 1.2.x board.
syncer removed a project: VyOS 1.1.x.