Bug 1503874 - KRACK affects hostapd
Summary: KRACK affects hostapd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: hostapd
Version: epel7
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Simone Caronni
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-19 01:23 UTC by Stephen Harris
Modified: 2018-01-09 16:18 UTC (History)
6 users (show)

Fixed In Version: hostapd-2.6-6.fc27 hostapd-2.6-6.fc26 hostapd-2.6-6.fc25 hostapd-2.6-7.el7 hostapd-2.6-7.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-09 16:16:06 UTC
Type: Bug


Attachments (Terms of Use)

Description Stephen Harris 2017-10-19 01:23:04 UTC
Description of problem:
wpa_supplicant in core RedHat has been patched, but hostapd is only in EPEL. 
 The current version is pretty old (2.4.3, upstream stable is 2.6).  All versions are  vulnerable to KRACK WPA2 bugs

Version-Release number of selected component (if applicable):
hostapd-2.4.3.el7


Additional info:

See https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Impact on AP/hostapd

On the AP side, this generic issue has been determined to be applicable
in the case where hostapd is used to operate an RSN/WPA2 network with FT
(Fast BSS Transition from IEEE 802.11r) enabled. Replaying of the
Reassociation Request frame can be used to get the AP reinstalling the
TK which results in the AP accepting previously delivered unicast frames
from the station and the AP reusing previously used packet numbers
(local TX packet number gets reset to zero). This latter issue on the TX
side can result in CCM nonce reuse which invalidates CCMP security
properties. In case of TKIP this can result in the attacker being able
to determine part of the TK more easily and with GCMP, result in similar
issues.

It should be noted that the AP side issue with FT would be close to
applying to FILS authentication (from IEEE 802.11ai) in hostapd with
replaying of (Re)Association Request frames. However, due to a different
handling of the repeated association processing with FILS, this would
actually result in the station getting immediately disconnected which
prevents this attack in practice. In addition, the FILS implementation
in the current hostapd version is still experimental and documented as
being discouraged in production use cases.

Another area of potentially reduced security was identified when looking
into these issues. When AP/Authenticator implementation in hostapd is
requested to rekey the PTK without performing EAP reauthentication
(either through local periodic rekeying or due to a request from an
association station), the ANonce value does not get updated. This
results in the new 4-way handshake depending on the station/supplicant
side generating a new, unique (for the current PMK/PSK) SNonce for the
PTK derivation to result in a new key. While a properly working
supplicant would do so, if there is a supplicant implementation that
does not, this combination could result in deriving the same PTK
again. When the TK from that PTK gets configured in the driver, this
would result in reinstalling the same key and the same issues as
described above for the FT protocol case.

Comment 1 Harald Reindl 2017-10-19 17:07:55 UTC
https://koji.fedoraproject.org/koji/packageinfo?packageID=9668

package maintained badly, there is no reason to keep the EPEL package on such an old version, i maintain it local for years now with no incompatible changes at all, same config as 2013

[harry@srv-rhsoft:~]$ rpm -q --changelog hostapd
* Di Okt 17 2017 Reindl Harald <h.reindl@thelounge.net>
- added security patches from https://w1.fi/security/2017-1/

* Do Jun 29 2017 Reindl Harald <h.reindl@thelounge.net>
- build without 'CONFIG_TLSV11=y'

* Mi Okt 05 2016 Reindl Harald <h.reindl@thelounge.net>
- Update to 2.6

* Di Aug 09 2016 Reindl Harald <h.reindl@thelounge.net>
- switch build to libnl3-devel from EOL libnl-devel

* Do Okt 01 2015 Reindl Harald <h.reindl@thelounge.net>
- Update to 2.5

* Sa Mär 28 2015 Reindl Harald <h.reindl@thelounge.net>
- optimize build options
- ship own 'defconfig' with source-package

* Di Mär 17 2015 Reindl Harald <h.reindl@thelounge.net>
- Update to 2.4

* Fr Okt 10 2014 Reindl Harald <h.reindl@thelounge.net>
- Update to 2.3

* Sa Jul 12 2014 Reindl Harald <h.reindl@thelounge.net>
- optimize build options

* Mo Jun 09 2014 Reindl Harald <h.reindl@thelounge.net>
- Update to 2.2

* Mi Feb 05 2014 Reindl Harald <h.reindl@thelounge.net>
- Update to 2.1

* So Mär 17 2013 Reindl Harald <h.reindl@thelounge.net>
- Update to 2.0

Comment 2 Xavier Bachelot 2017-11-02 16:05:13 UTC
Hi Harald,

if you're maintaining this package for your own purpose, I guess maintaining it in Fedora/EPEL wouldn't be much more work, so why not ask to be be a co-maintainer ?

Regards,
Xavier

Comment 3 Harald Reindl 2017-11-02 16:41:27 UTC
it would because i have no usecase for git, refuse to maintain packages for a distribution with restart-commands at upgrade while i maintain some services to remove them and my hostapd has everything disabled which is not nmeeded for a WPA2 setup 

so mine can't go to any distribution and while doing what normally are 5 fulltimejobs beeing one of the top-testers for Fedora over nearly a decade is the only contribution i have time for until i find a solution for the "day has only 24 hours" problem and since i don't have the time for it i don't start it because start maintaining something brings responisibility - do it proper or not at all

Comment 4 Xavier Bachelot 2017-11-02 17:00:38 UTC
(In reply to Harald Reindl from comment #3)
> it would because i have no usecase for git, refuse to maintain packages for
> a distribution with restart-commands at upgrade while i maintain some
> services to remove them and my hostapd has everything disabled which is not
> nmeeded for a WPA2 setup 
> 
> so mine can't go to any distribution and while doing what normally are 5
> fulltimejobs beeing one of the top-testers for Fedora over nearly a decade
> is the only contribution i have time for until i find a solution for the
> "day has only 24 hours" problem and since i don't have the time for it i
> don't start it because start maintaining something brings responisibility -
> do it proper or not at all

Fair enough, thanks for the answer. I tried :-)

Comment 5 Simone Caronni 2017-11-03 15:21:39 UTC
Hi Stephen, can you try the latest build?

https://koji.fedoraproject.org/koji/packageinfo?packageID=9668

If it works, I'm pushing the update to Bodhi.

Comment 6 Stephen Harris 2017-11-03 21:38:19 UTC
So I did

systemctl stop hostapd
yum update hostapd-2.6-6.el7.x86_64.rpm
systemctl start hostapd

Everything appears to look OK

% grep hostapd /var/log/messages | grep -v STA
Nov  3 17:23:41 router yum[27018]: Updated: hostapd-2.6-6.el7.x86_64
Nov  3 17:23:49 router hostapd: Configuration file: /etc/hostapd/hostapd.conf
Nov  3 17:23:49 router hostapd: Using interface wlp4s0 with hwaddr 04:f0:21:26:d3:7e and ssid "spuddy"
Nov  3 17:23:49 router hostapd: Using interface wlp4s0_1 with hwaddr 04:f0:21:26:d3:7f and ssid "spuddy-guest"
Nov  3 17:23:49 router hostapd: wlp4s0: interface state UNINITIALIZED->ENABLED
Nov  3 17:23:49 router hostapd: wlp4s0: AP-ENABLED

An Android 6 phone, a Chromebook, a Win10 laptop, a Chumby, and a wireless camera all reconnected without issue and joined the right networks.

systemd gave a couple of warnings, but they appear to be harmless

From the install:
Nov  3 17:23:41 router systemd: Reloading.
Nov  3 17:23:41 router systemd: [/usr/lib/systemd/system/ip6tables.service:3] Failed to add dependency on syslog.target,iptables.service, ignoring: Invalid argument

From the startup:

Nov  3 17:23:49 router systemd: Starting Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator...
Nov  3 17:23:49 router systemd-udevd: Error changing net interface name 'wlp4s0_1' to 'wlp4s0': Device or resource busy
Nov  3 17:23:49 router systemd-udevd: could not rename interface '13' from 'wlp4s0_1' to 'wlp4s0': Device or resource busy
Nov  3 17:23:49 router systemd: Started Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator.

Comment 7 Simone Caronni 2017-11-06 07:56:12 UTC
Thanks for the testing. The errors you see are not related to hostapd misbehaving. I will post the updates.

Comment 8 Fedora Update System 2017-11-06 07:56:40 UTC
hostapd-2.6-6.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-30026fdcc1

Comment 9 Fedora Update System 2017-11-06 07:57:04 UTC
hostapd-2.6-6.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-ed87c07972

Comment 10 Fedora Update System 2017-11-06 07:57:16 UTC
hostapd-2.6-6.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-45044b6b33

Comment 11 Fedora Update System 2017-11-06 07:57:28 UTC
hostapd-2.6-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-cfb950d8f4

Comment 12 Fedora Update System 2017-11-06 07:57:41 UTC
hostapd-2.6-6.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-fc21e3856b

Comment 13 Fedora Update System 2017-11-06 21:14:34 UTC
hostapd-2.6-6.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-fc21e3856b

Comment 14 Fedora Update System 2017-11-06 23:46:01 UTC
hostapd-2.6-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-cfb950d8f4

Comment 15 Fedora Update System 2017-11-06 23:47:39 UTC
hostapd-2.6-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-ed87c07972

Comment 16 Fedora Update System 2017-11-07 00:02:28 UTC
hostapd-2.6-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-30026fdcc1

Comment 17 Fedora Update System 2017-11-07 00:11:37 UTC
hostapd-2.6-6.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-45044b6b33

Comment 18 Fedora Update System 2017-11-15 17:44:41 UTC
hostapd-2.6-6.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2017-11-15 20:16:19 UTC
hostapd-2.6-6.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2017-11-15 22:29:12 UTC
hostapd-2.6-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2017-12-09 19:33:29 UTC
hostapd-2.6-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-ed87c07972

Comment 22 Fedora Update System 2017-12-10 22:01:05 UTC
hostapd-2.6-7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-30026fdcc1

Comment 23 Fedora Update System 2018-01-09 16:16:06 UTC
hostapd-2.6-7.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2018-01-09 16:18:18 UTC
hostapd-2.6-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.