desflynn
commented
6 years ago Yes, hostapd/wpa_supplicant 2.4 is affected.
See https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt for explanation
To summarise:
Impact on AP/hostapd
On the AP side, this generic issue has been determined to be applicable in the case where hostapd is used to operate an RSN/WPA2 network with FT (Fast BSS Transition from IEEE 802.11r) enabled.
...
Impact on station/wpa_supplicant
On the station side, this generic issue has been determined to be applicable in the cases where wpa_supplicant processes a group key (GTK or IGTK) update from the AP.
...
Possible mitigation steps
- For AP/hostapd and FT replay issue (CVE-2017-13082), it is possible to prevent the issue temporarily by disabling FT in runtime configuration, if needed before being able to update the implementations.
To immediately prevent issues on the AP, disable FT in the hostapd config.
For a better fix, there are patches published for hostapd/wpa_supplicant 2.6 at https://w1.fi/security/2017-1/. Please feel free to issue a pull request for updating the included hostapd to 2.6 and applying the patches during the build process as an interim solution.
Possible mitigation steps
- Update to hostapd/wpa_supplicant v2.7 or newer, once available
- it should be noted that there are number of additional changes in the related areas of the implementation to provide extra layer of protection for potential unknown issues; these changes are not included in this advisory as they have not been identified to be critical for preventing any of the identified security vulnerabilities; however, users of hostapd/wpa_supplicant are encouraged to consider merging such changes even if not fully moving to v2.7
When hostapd 2.7 is released, I will merge it into this codebase which will provide a permanent fix.
This code is too old. This is affected by WPA2 Krack Attack vulnerability bug? Official version yes, but patched in these days.