Description of problem: wpa_supplicant in core RedHat has been patched, but hostapd is only in EPEL. The current version is pretty old (2.4.3, upstream stable is 2.6). All versions are vulnerable to KRACK WPA2 bugs Version-Release number of selected component (if applicable): hostapd-2.4.3.el7 Additional info: See https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt Impact on AP/hostapd On the AP side, this generic issue has been determined to be applicable in the case where hostapd is used to operate an RSN/WPA2 network with FT (Fast BSS Transition from IEEE 802.11r) enabled. Replaying of the Reassociation Request frame can be used to get the AP reinstalling the TK which results in the AP accepting previously delivered unicast frames from the station and the AP reusing previously used packet numbers (local TX packet number gets reset to zero). This latter issue on the TX side can result in CCM nonce reuse which invalidates CCMP security properties. In case of TKIP this can result in the attacker being able to determine part of the TK more easily and with GCMP, result in similar issues. It should be noted that the AP side issue with FT would be close to applying to FILS authentication (from IEEE 802.11ai) in hostapd with replaying of (Re)Association Request frames. However, due to a different handling of the repeated association processing with FILS, this would actually result in the station getting immediately disconnected which prevents this attack in practice. In addition, the FILS implementation in the current hostapd version is still experimental and documented as being discouraged in production use cases. Another area of potentially reduced security was identified when looking into these issues. When AP/Authenticator implementation in hostapd is requested to rekey the PTK without performing EAP reauthentication (either through local periodic rekeying or due to a request from an association station), the ANonce value does not get updated. This results in the new 4-way handshake depending on the station/supplicant side generating a new, unique (for the current PMK/PSK) SNonce for the PTK derivation to result in a new key. While a properly working supplicant would do so, if there is a supplicant implementation that does not, this combination could result in deriving the same PTK again. When the TK from that PTK gets configured in the driver, this would result in reinstalling the same key and the same issues as described above for the FT protocol case.
https://koji.fedoraproject.org/koji/packageinfo?packageID=9668 package maintained badly, there is no reason to keep the EPEL package on such an old version, i maintain it local for years now with no incompatible changes at all, same config as 2013 [harry@srv-rhsoft:~]$ rpm -q --changelog hostapd * Di Okt 17 2017 Reindl Harald <h.reindl> - added security patches from https://w1.fi/security/2017-1/ * Do Jun 29 2017 Reindl Harald <h.reindl> - build without 'CONFIG_TLSV11=y' * Mi Okt 05 2016 Reindl Harald <h.reindl> - Update to 2.6 * Di Aug 09 2016 Reindl Harald <h.reindl> - switch build to libnl3-devel from EOL libnl-devel * Do Okt 01 2015 Reindl Harald <h.reindl> - Update to 2.5 * Sa Mär 28 2015 Reindl Harald <h.reindl> - optimize build options - ship own 'defconfig' with source-package * Di Mär 17 2015 Reindl Harald <h.reindl> - Update to 2.4 * Fr Okt 10 2014 Reindl Harald <h.reindl> - Update to 2.3 * Sa Jul 12 2014 Reindl Harald <h.reindl> - optimize build options * Mo Jun 09 2014 Reindl Harald <h.reindl> - Update to 2.2 * Mi Feb 05 2014 Reindl Harald <h.reindl> - Update to 2.1 * So Mär 17 2013 Reindl Harald <h.reindl> - Update to 2.0
Hi Harald, if you're maintaining this package for your own purpose, I guess maintaining it in Fedora/EPEL wouldn't be much more work, so why not ask to be be a co-maintainer ? Regards, Xavier
it would because i have no usecase for git, refuse to maintain packages for a distribution with restart-commands at upgrade while i maintain some services to remove them and my hostapd has everything disabled which is not nmeeded for a WPA2 setup so mine can't go to any distribution and while doing what normally are 5 fulltimejobs beeing one of the top-testers for Fedora over nearly a decade is the only contribution i have time for until i find a solution for the "day has only 24 hours" problem and since i don't have the time for it i don't start it because start maintaining something brings responisibility - do it proper or not at all
(In reply to Harald Reindl from comment #3) > it would because i have no usecase for git, refuse to maintain packages for > a distribution with restart-commands at upgrade while i maintain some > services to remove them and my hostapd has everything disabled which is not > nmeeded for a WPA2 setup > > so mine can't go to any distribution and while doing what normally are 5 > fulltimejobs beeing one of the top-testers for Fedora over nearly a decade > is the only contribution i have time for until i find a solution for the > "day has only 24 hours" problem and since i don't have the time for it i > don't start it because start maintaining something brings responisibility - > do it proper or not at all Fair enough, thanks for the answer. I tried :-)
Hi Stephen, can you try the latest build? https://koji.fedoraproject.org/koji/packageinfo?packageID=9668 If it works, I'm pushing the update to Bodhi.
So I did systemctl stop hostapd yum update hostapd-2.6-6.el7.x86_64.rpm systemctl start hostapd Everything appears to look OK % grep hostapd /var/log/messages | grep -v STA Nov 3 17:23:41 router yum[27018]: Updated: hostapd-2.6-6.el7.x86_64 Nov 3 17:23:49 router hostapd: Configuration file: /etc/hostapd/hostapd.conf Nov 3 17:23:49 router hostapd: Using interface wlp4s0 with hwaddr 04:f0:21:26:d3:7e and ssid "spuddy" Nov 3 17:23:49 router hostapd: Using interface wlp4s0_1 with hwaddr 04:f0:21:26:d3:7f and ssid "spuddy-guest" Nov 3 17:23:49 router hostapd: wlp4s0: interface state UNINITIALIZED->ENABLED Nov 3 17:23:49 router hostapd: wlp4s0: AP-ENABLED An Android 6 phone, a Chromebook, a Win10 laptop, a Chumby, and a wireless camera all reconnected without issue and joined the right networks. systemd gave a couple of warnings, but they appear to be harmless From the install: Nov 3 17:23:41 router systemd: Reloading. Nov 3 17:23:41 router systemd: [/usr/lib/systemd/system/ip6tables.service:3] Failed to add dependency on syslog.target,iptables.service, ignoring: Invalid argument From the startup: Nov 3 17:23:49 router systemd: Starting Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator... Nov 3 17:23:49 router systemd-udevd: Error changing net interface name 'wlp4s0_1' to 'wlp4s0': Device or resource busy Nov 3 17:23:49 router systemd-udevd: could not rename interface '13' from 'wlp4s0_1' to 'wlp4s0': Device or resource busy Nov 3 17:23:49 router systemd: Started Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator.
Thanks for the testing. The errors you see are not related to hostapd misbehaving. I will post the updates.
hostapd-2.6-6.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-30026fdcc1
hostapd-2.6-6.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-ed87c07972
hostapd-2.6-6.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-45044b6b33
hostapd-2.6-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-cfb950d8f4
hostapd-2.6-6.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-fc21e3856b
hostapd-2.6-6.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-fc21e3856b
hostapd-2.6-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-cfb950d8f4
hostapd-2.6-6.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-ed87c07972
hostapd-2.6-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-30026fdcc1
hostapd-2.6-6.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-45044b6b33
hostapd-2.6-6.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
hostapd-2.6-6.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
hostapd-2.6-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
hostapd-2.6-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-ed87c07972
hostapd-2.6-7.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-30026fdcc1
hostapd-2.6-7.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
hostapd-2.6-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.