[creatrixcordis]

"This is achieved by manipulating and replaying cryptographic handshake messages." so that means that the mac address has been spoofed to make the AP think that he is always talking to the same mac address.

If I'm plugged into the router directly then i should be good because it eliminates the wifi handshake. So even though other devices on the wifi network could be affected, the node that is plugged in is safe against this?

[0xfeba]

> If I'm plugged into the router directly then i should be good because it eliminates the wifi handshake.

Eh, yes, if you're plugged in you're good because it eliminates Wifi, period.

For that one client, anyway.

[nullbyte]

Well yeah, you'd always be safe against these types of attacks if you're wired in. Even on Ethernet.

[creatrixcordis]

So if i use my wired in node as an ssh tunnel out to the "internets" to tunnel all traffic from my wifi connected nodes then this mitigates the issue till updates come through?

[Fnoord]

That's a feasible option on laptops running macOS or Linux, but not for Android clients. Running a SSH VPN (tunneling all traffic) requires root and has a severe performance penalty (which you will notice on your battery). You'd notice it on the laptops as well, but I guess that matters less.

Funny enough, OpenBSD didn't impleemnt WPA(2) for a while. Instead, they were forcing their users to use IPsec and OpenSSH instead.

[creatrixcordis]

Debian repos and inherently Ubuntu's repos also have wpa_supplicant 2.4, we will see if they update to 2.6 or release a patch. Probably patch before 2.6.

It would be nice if there was a rule which package repos and distros would adhere to. The rule would adapt, such as all the packages that have had a security issues, will always be required to be updated to the latest versions in the next release or sooner. As vulnerabilities are discovered, the list of packages would grow and hopefully would prevent some future attacks. Obviously it's not full proof but every little bit counts.

[iam-TJ]

There has always been a rule for bug-fix and security updates:

Apply the minimum necessary change to solve the problem.

This means cherry-picking the mainline patches where possible, or back-porting them where modification is required for them to apply (and work as intended) on older releases.

Especially with older versions it often isn't possible to update to a later upstream release because that depends on later versions of other packages. The dependencies can rapidly multiply to affect tens or even hundreds of packages.

Ubuntu patches were prepared and released within 4 hours of the security team being aware of the vulnerability. Same goes for Debian.

[creatrixcordis]

where do i go to get the patch?

i looked here and i don't know where to pick up the patch also ran update manager in my ubuntu distro but no dice :(

https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1723909 http://people.canonical.com/~ubuntu-security/cve/pkg/wpa.htm...

[pnutjam]

OpenVPN doesn't require root. You can use your own server or find a trusted commercial provider. I recommend airvpn, https://airvpn.org/?referred_by=287899

[dfox]

I had my home wifi configured like that for few years. AP without any security wired into network that was firewalled such that it only allowed ICMPv6 and OpenVPN. Sadly this worked ten years ago, but is completely unusable for various IoT-ish devices (for me, Wii was the device that made me to switch to WPA2-PSK)

Edit: also at that time this was at least subjectively significantly easier to setup than wpa_supplicant ;)

[kzahel]

Yep! That's what I'm doing right now.

[nullbyte]

*even on WEP Is what I meant to say. Haven't had coffee yet, sorry.