OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: franco on October 17, 2017, 07:18:48 am

Title: [CALL FOR TESTING] KRACK Attack fixes
Post by: franco on October 17, 2017, 07:18:48 am
Hi all,

So, I'll make this short: for those of you who run WPA2 on OPNsense, your networks aren't safe:

https://www.krackattacks.com/

Ironically, none of your wireless WPA2 gear is safe unless properly patched stretching over Android, Apple devices, home routers, etc... But that's out of our immediate scope and only mentioned as a reminder to patch or replace all your things.

At this point FreeBSD has no solution for their operating system code. That's very unlucky for such a strong project to say the least. The embargo for this issue was stretched for 3 months and if we (as OPNsense) had had advance notice or an immediate reaction via FreeBSD we would have been able to deliver an update today.

But as things are not so, we've been weighing options on how to go forward. FreeBSD's wpa code is version 2.5 for which no patches exist (only 2.6 and current) so patching the operating system with multiple patches was out of question, because anything could go wrong and we don't want to leave you at risk for claiming something was fixed that really wasn't.

We ended up embracing the FreeBSD port updates for hostapd and wpa_supplicant which are easier to integrate and do not overwrite functionality in case the port updates are not viable or introduce regressions.

If anyone wants to help test, we are happy to provide a short guide on how to install these patched ports and switch the code over to use them instead.

This is in the hopes that we can get enough positive feedback to move ahead with a release on Thursday.


Thank you,
Franco
Title: Re: [CALL FOR TESTING] KRACK Attack fixes
Post by: franco on October 17, 2017, 08:21:55 am
Here are the testing bits:

https://github.com/opnsense/core/commit/f0ad55d

Apply via:

# opnsense-patch f0ad55d

(run again to revert back to the OS binaries)

Then install the packages via:

(amd64/OpenSSL)

# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/latest/All/hostapd-2.6_1.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/latest/All/wpa_supplicant-2.6_2.txz

(amd64/LibreSSL)

# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/libressl/All/hostapd-2.6_1.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/libressl/All/wpa_supplicant-2.6_2.txz

(i386/OpenSSL)

# pkg add https://pkg.opnsense.org/FreeBSD:11:i386/snapshots/latest/All/hostapd-2.6_1.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:i386/snapshots/latest/All/wpa_supplicant-2.6_2.txz

(i386/LibreSSL)

# pkg add https://pkg.opnsense.org/FreeBSD:11:i386/snapshots/libressl/All/hostapd-2.6_1.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:i386/snapshots/libressl/All/wpa_supplicant-2.6_2.txz

Reboot your system to make sure everything is set up using the new binaries.


Cheers,
Franco
Title: Re: [CALL FOR TESTING] KRACK Attack fixes
Post by: monstermania on October 17, 2017, 01:47:33 pm
Hi Franco,
ist it possible to get the patch for x86 systems too?

best regards
Dirk
Title: Re: [CALL FOR TESTING] KRACK Attack fixes
Post by: franco on October 17, 2017, 06:52:28 pm
Hi Dirk,

They have been built and uploaded, but I may or may not have done something to the update server that needs fixing... I'll post the links as soon as that's sorted.


Sorry,
Franco
Title: Re: [CALL FOR TESTING] KRACK Attack fixes
Post by: franco on October 17, 2017, 08:01:32 pm
Updated with i386 packages above.
Title: Re: [CALL FOR TESTING] KRACK Attack fixes
Post by: franco on October 18, 2017, 09:19:50 am
Nobody got feedback? Ideally, we would like to ship this tomorrow. ;)
Title: Re: [CALL FOR TESTING] KRACK Attack fixes
Post by: monstermania on October 18, 2017, 11:19:44 am
I've installed the patch one hour ago remote on my OPNsense!  ;)
I think tomorrow i can give feedback if the WLAN ist still working flawless.

Title: Re: [CALL FOR TESTING] KRACK Attack fixes
Post by: monstermania on October 19, 2017, 08:39:35 am
Hi Franco,
the patch seems to work.
My internal WLAN and also my Guest_WLAN worked without any problems (both as RALINK usb wifi AP).

Here ist the log for the internal WLAN AP between the rekeying events.

Code: [Select]
Oct 19 08:12:08 hostapd: run0_wlan1: WPA rekeying GTK
Oct 19 08:07:10 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX WPA: pairwise key handshake completed (RSN)
Oct 19 08:07:10 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX RADIUS: starting accounting session EAFA490D0B67F46B
Oct 19 08:07:10 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX IEEE 802.1X: authorizing port
Oct 19 08:07:10 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX WPA: received EAPOL-Key frame (4/4 Pairwise)
Oct 19 08:07:10 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX WPA: sending 3/4 msg of 4-Way Handshake
Oct 19 08:07:10 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX WPA: received EAPOL-Key frame (2/4 Pairwise)
Oct 19 08:07:10 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX WPA: sending 1/4 msg of 4-Way Handshake
Oct 19 08:07:10 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX IEEE 802.1X: unauthorizing port
Oct 19 08:07:10 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX WPA: start authentication
Oct 19 08:07:10 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX WPA: event 1 notification
Oct 19 08:07:10 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX IEEE 802.11: associated
Oct 19 08:07:07 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX IEEE 802.1X: unauthorizing port
Oct 19 08:07:07 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX WPA: event 2 notification
Oct 19 08:07:07 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX IEEE 802.11: disassociated
Oct 19 08:02:08 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX WPA: group key handshake completed (RSN)
Oct 19 08:02:08 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX WPA: received EAPOL-Key frame (2/2 Group)
Oct 19 08:02:08 hostapd: run0_wlan1: STA 00:eb:XX:XX:XX.XX WPA: sending 1/2 msg of Group Key Handshake
Oct 19 08:02:08 hostapd: run0_wlan1: WPA rekeying GTK
Oct 19 08:02:06 hostapd: run0_wlan1: WPA GMK rekeyd

So, the OPNsense it updated. But i don't think Sony will be release updates for my Xperia Z1C or my wifes Xperia!  >:(

best regards
Dirk
Title: Re: [CALL FOR TESTING] KRACK Attack fixes
Post by: franco on October 19, 2017, 02:28:28 pm
Hi Dirk,

Many thanks for the testing! So we are going ahead with this tomorrow and make a note that opnsense-patch can restore to the unpatched tools if required for any reason, just as a precaution.

FreeBSD released modified patches for version 2.5 which are hard to put into testing and release and since we rather want 2.6 and official patches we will migrate to the ports and skip the FreeBSD patching.

Either way, problem solved, everyone happy.

Except for all the vendor stuff that will not be updated. I'm fearing apple will not patch their Airport WiFi, which is a shame really, but then again they already vowed to kill the product range and turn this into a giant paper weight. ;(


Thanks again,
Franco
Title: Re: [CALL FOR TESTING] KRACK Attack fixes
Post by: nicovell3 on October 20, 2017, 02:35:00 pm
Hi all,

Yesterday at the afternoon I updated the firewall, applied the patch with opnsense-patch f0ad55d and rebooted the firewall. Today, the users reported me that the two wireless interfaces (both were protected, one with WPA2-PSK and the other with WPA2-Enterprise) were open without any authentication.

I had to undo the changes today to restore the WPA2 protection.

I don't know which logs I can provide to help in the investigation.

Regards,
Nico.
Title: Re: [CALL FOR TESTING] KRACK Attack fixes
Post by: franco on October 20, 2017, 03:54:00 pm
Hi Nico,

That's a bit odd, we haven't changed any configuration file generation which would mean the configuration of hostapd reverts to open which should hopefully not be the case.

Hostapd config files are:

/var/etc/hostapd_*.conf

Wpa_supplicant config files are:

/var/etc/wpa_supplicant_*.conf


Cheers,
Franco
Title: Re: [CALL FOR TESTING] KRACK Attack fixes
Post by: monstermania on October 21, 2017, 07:10:39 am
Hmm,
sounds strange. My WLAN works with wpa2 again after update.
This morning i've updated to 17.7.6 and reboot my OPNsense.
WLAN works perfekt for me.

Best regards
Dirk