Page MenuHomeSolus

CVE in WPA(2) (wpa_supplicant)
Closed, ResolvedPublic

Description

A Belgian security company found a lot of weaknesses in WPA2. Please see below CVEs.

CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13086
CVE-2017-13087
CVE-2017-13088

The Debian bug report can be found here

As with any major exploit, it even has its own website. A quote from their website:

We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.
The research behind the attack will be presented at the Computer and Communications Security (CCS) conference, and at the Black Hat Europe conference. Our detailed research paper can already be downloaded.

Event Timeline

kyentei created this task.Oct 16 2017, 1:46 PM
kyentei updated the task description. (Show Details)
kyentei updated the task description. (Show Details)Oct 16 2017, 1:48 PM
ikey changed the visibility from "Public (No Login Required)" to "Custom Policy".Oct 16 2017, 2:18 PM
ikey changed the task status from Open to In Progress.Oct 16 2017, 4:10 PM
ikey claimed this task.
ikey changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 16 2017, 4:18 PM

This issue is now addressed in:

wpa_supplicant, version: 2.6, release: 9

This update has been released out of band is now available in Shannon. Users should update at their earliest convenience.

This comment was removed by baimafeima.