[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-17:07.wpa [REVISED]

FreeBSD Security Advisories security-advisories at freebsd.org
Thu Oct 19 03:49:27 UTC 2017

Hash: SHA512

FreeBSD-SA-17:07.wpa                                        Security Advisory
                                                          The FreeBSD Project

Topic:          WPA2 protocol vulnerability

Category:       contrib
Module:         wpa
Announced:      2017-10-16
Credits:        Mathy Vanhoef
Affects:        All supported versions of FreeBSD.
Corrected:      2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE)
                2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2)
                2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13)
                2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE)
                2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1)
                2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22)
CVE Name:       CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
                CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
                CVE-2017-13086, CVE-2017-13087, CVE-2017-13088

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

0.   Revision history

v1.0  2017-10-17 Initial release.
v1.1  2017-10-19 Add patches for 10.x releases.

I.   Background

Wi-Fi Protected Access II (WPA2) is a security protocol developed by the
Wi-Fi Alliance to secure wireless computer networks.

hostapd and wpa_supplicant are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.

II.  Problem Description

A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.

III. Impact

Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.

IV.  Workaround

An updated version of wpa_supplicant is available in the FreeBSD Ports
Collection. Install version 2.6_2 or later of the
security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf
to use the new binary:


and restart networking.

An updated version of hostapd is available in the FreeBSD Ports
Collection. Install version 2.6_1 or later of the net/hostapd port/pkg.
Once installed, update /etc/rc.conf to use the new binary:


and restart hostapd.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Restart the Wi-Fi network interfaces/hostapd or reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Restart the Wi-Fi network interfaces/hostapd or reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc

[FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc
# gpg --verify wpa-10.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/11/                                                        r324697
releng/11.0/                                                      r324698
releng/11.1/                                                      r324699
stable/10/                                                        r324739
releng/10.3/                                                      r324740
releng/10.4/                                                      r324741
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:


VII. References


The latest revision of this advisory is available at


More information about the freebsd-announce mailing list