[FreeBSD-Announce] FreeBSD Security Notice: WPA2 vulnerabilities
FreeBSD Security Advisories
security-advisories at freebsd.org
Mon Oct 16 22:44:53 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
Dear FreeBSD community,
As many have already noticed, there are a few newly disclosed WPA2
protocol vulnerabilities that affects wpa_supplicant and hostapd which
also affects all supported FreeBSD releases:
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
We are actively working on a patch for the base system to address these
issues. Current users who use Wi-Fi with WPA2 should use a wired
connection as a workaround, and we strongly recommend using end-to-end
encryption methods like HTTPS or SSH to better protect against this type
of attack. Please note that a successful attack requires close
proximity to the victim systems.
Alternatively, we recommend wpa_supplicant users who are concerned with
the issue to install an updated version from the ports/packages
collection (version 2.6_2 or later). It can be installed via ports
portsnap fetch update
make clean; make all deinstall install clean;
Change /etc/rc.conf to make use of the port/package version by adding:
And restart the Wi-Fi network interfaces or reboot the system.
Additional information about this remediation will be released as
SA-17:07 once it becomes available.
For more information about the vulnerabilities, please see the following
The FreeBSD Security Team
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the freebsd-announce