Bug 21879 - wpa_supplicant, hostapd several new security issues fixed upstream
Summary: wpa_supplicant, hostapd several new security issues fixed upstream
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: High major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://www.krackattacks.com/
Whiteboard: MGA5TOO MGA6-64-OK mga5-64-ok
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-10-16 12:00 CEST by David Walser
Modified: 2017-10-19 20:14 CEST (History)
10 users (show)

See Also:
Source RPM: wpa_supplicant-2.6-2.mga7.src.rpm, hostapd-2.6-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-10-16 12:00:43 CEST
Upstream has issued an advisory today (October 16):
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Patches are available at:
https://w1.fi/security/2017-1/

but it sounds like it might be better to update to 2.7 when available.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-10-16 12:01:21 CEST

CC: (none) => tmb
Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Frédéric "LpSolit" Buclin 2017-10-16 12:57:05 CEST
Full story here: https://www.krackattacks.com/

From what I can read, this is a pretty major issue.

Severity: normal => major
Priority: Normal => High
URL: (none) => https://www.krackattacks.com/

Comment 2 Marja Van Waes 2017-10-16 22:18:47 CEST
(In reply to Frédéric Buclin from comment #1)
> Full story here: https://www.krackattacks.com/
> 
> From what I can read, this is a pretty major issue.

Assigning to the registered maintainer.

CC'ing the last ones who pushed those two packages.

CC: (none) => cjw, guillomovitch, marja11
Assignee: bugsquad => tmb

Comment 3 David Walser 2017-10-16 23:16:24 CEST
Ubuntu has issued an advisory for this today (October 16):
https://usn.ubuntu.com/usn/usn-3455-1/
Comment 4 Thomas Backlund 2017-10-17 08:39:32 CEST
Yeah, I'll go fix this tonight.

This is one of the security issues that will take years (if ever) to get fixed everywhere considering how much wpa2 enabled hw is out there
Comment 5 Thomas Backlund 2017-10-17 14:23:33 CEST
Cauldron fixed as  hostapd/wpa_suppliocant-2.6-3.mga7

Mga6 is fixed as of: hostapd/wpa_supplicant-2.6-1.1.mga6 currently in testing

Mga5 in still WIP...

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 6 David Walser 2017-10-17 16:29:58 CEST
Built so far:
wpa_supplicant-2.6-1.1.mga6
wpa_supplicant-gui-2.6-1.1.mga6
hostapd-2.6-1.1.mga6

from SRPMS:
wpa_supplicant-2.6-1.1.mga6.src.rpm
hostapd-2.6-1.1.mga6.src.rpm
Comment 7 Marja Van Waes 2017-10-17 23:38:21 CEST
(In reply to David Walser from comment #6)
> Built so far:
> wpa_supplicant-2.6-1.1.mga6
> wpa_supplicant-gui-2.6-1.1.mga6
> hostapd-2.6-1.1.mga6
> 
> from SRPMS:
> wpa_supplicant-2.6-1.1.mga6.src.rpm
> hostapd-2.6-1.1.mga6.src.rpm

CC'ing QA team leaders/representatives, in case they want their team to already start testing.

@ QA team leaders/representatives

This is about the WPA2 vulnerability everybody talks about
https://www.krackattacks.com/

(Btw, https://wiki.mageia.org/en/Org_Council needs to be updated for all teams, sorry if I don't remember who replaces MrsB :-( )

CC: (none) => davidwhodgins, lewyssmith, wilcal.int

Comment 8 w unruh 2017-10-18 00:29:00 CEST
I have built the wpa_supplicant-2.6-1.1.mga6.src.rpm and hostapd-2.6-1.1.mga6.src.rpm on MGA5-x86 without problem. Unfortunately the machine has no wireless card so cannot test whether they work. (It starts but then complains about no wireless).

CC: (none) => unruh

Comment 9 w unruh 2017-10-18 00:47:32 CEST
{wpa_supplicant,hostapd}-2.6-3.mga7 also built fine on my MGA5 system.
Comment 10 Dave Hodgins 2017-10-18 06:12:08 CEST
Works fine on one system I have wireless ssh access to.

# systemctl status wpa_supplicant.service 
● wpa_supplicant.service - WPA Supplicant daemon
   Loaded: loaded (/usr/lib/systemd/system/wpa_supplicant.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2017-10-18 00:06:41 EDT; 3min 29s ago
 Main PID: 1912 (wpa_supplicant)
   CGroup: /system.slice/wpa_supplicant.service
           └─1912 /usr/sbin/wpa_supplicant -u -P /run/wpa_supplicant.pid -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant.conf

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 11 Dave Hodgins 2017-10-18 07:16:13 CEST
For hostapd, just confirmed that the update installs cleanly over the prior version.
Comment 12 Thomas Backlund 2017-10-18 11:33:14 CEST
I decided to upgrade Mageia 5 to 2.6 too as other good / possibly security related fixes has happend between 2.3 and 2.6, so for mga5 the rpms now are:


wpa_supplicant-2.6-1.mga5
wpa_supplicant-gui-2.6-1.mga5
hostapd-2.6-1.mga5

from SRPMS:
wpa_supplicant-2.6-1.mga5.src.rpm
hostapd-2.6-1.mga5.src.rpm



As for testing, atleast wpa_supplicant  needs to be tested with wireless hw connected to wpa2 encrypted networks

So simply install, reboot (to ensure no transient issues) and connect to wireless and confirm it still works

there is afaik not many users of hostapd, so confirming it installs is ok

Assignee: tmb => qa-bugs

Comment 13 papoteur 2017-10-18 17:53:56 CEST
Just installed wpa_supplicant.
Wireless connection is OK.
 /sbin/route
Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
default         box             0.0.0.0         UG    35     0        0 wlp2s0
link-local      0.0.0.0         255.255.0.0     U     35     0        0 wlp2s0
192.168.1.0     0.0.0.0         255.255.255.0   U     35     0        0 wlp2s0

uname -a
Linux Zenbook.yves 4.9.50-desktop-1.mga6 #1 SMP Wed Sep 13 23:14:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

rpm -qa|grep wpa
wpa_supplicant-gui-2.6-1.1.mga6
wpa_supplicant-2.6-1.1.mga6

CC: (none) => yves.brungard_mageia

Comment 14 claire robinson 2017-10-18 17:57:45 CEST
Testing complete mga5 64 - as comment 12.

Suggest moving this one on.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK mga5-64-ok

Comment 15 Dave Hodgins 2017-10-18 18:25:56 CEST
Still need the advisory. Validating the update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 w unruh 2017-10-18 19:01:16 CEST
Installed wpa_supplicant-2.6-1.1mga6 on Dell xps13 running mga6. The installation stalled for about 20 sec after removing the previous version before returning to the bash prompt, with the cpu running at close to 100% during that time. 
Got the comment about /home existing and not a directory (It is actually a link to /local/home)

Killed previously running wpa_supplicant and reconnected to a wpa2 DLink router without problem using NetworkCenter.).
Rebooted and again connected without problem to NetworkCenter.
Comment 17 Thomas Backlund 2017-10-19 19:46:38 CEST
advisory, also added to svn:

subject: Updated wpa_supplicant and hostapd packages fix security vulnerabilities
CVE:
 - CVE-2017-13077
 - CVE-2017-13078
 - CVE-2017-13079
 - CVE-2017-13080
 - CVE-2017-13081
 - CVE-2017-13082
 - CVE-2017-13086
 - CVE-2017-13087
 - CVE-2017-13088
src:
  5:
   core:
     - hostapd-2.6-1.mga5
     - wpa_supplicant-2.6-1.mga5
  6:
   core:
     - hostapd-2.6-1.1.mga6
     - wpa_supplicant-2.6-1.1.mga6
description: |
  Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
  handled WPA2. A remote attacker could use this issue with key
  reinstallation attacks to obtain sensitive information. (CVE-2017-13077,
  CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
  CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=21879
 - https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Keywords: (none) => advisory

Comment 18 Mageia Robot 2017-10-19 20:14:46 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0379.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.