Turris OS 3.8.4 is out with #KRACK fix

release

#1

Dear Turris users,
we are happy to announce that we just pushed the fix of #KRACK vulnerability for all Turris routers. Together with community testers in RC, we tried really hard to find some bug with no success so here we go:

Kernel update is included so reboot will be needed as usual.

Please, keep in mind that we are not able to fix the vulnerability completely as it is mostly client-side problem. So update not only Turris, but also your computers, smartphones, tablets, washing machines, refrigerators, cars and so on. :scream: :tired_face: :wink: :sunglasses: :sunny:

Thank you for staying secure with us.

Looking forward to hear your feedback!

yours,
Václav


Turris OS 3.8.4 je tu s opravou #KRACK
Major WPA2 vulnerability to be disclosed
#2

Turris Omnia updated manually via updater.sh - everything OK


#3

Same here, used updater.sh , no issues.


#5

WiFi went down ten minutes ago. I suspected it could be because of the coming update, connected using an Ethernet cable I keep next to the router and logged in to Foris. There the update and required reboot was announced. So I rebooted. When I was online again the notification email requesting the reboot arrived. (Data collection is enabled.)

Easily worked around, but not 100% optimal. :slight_smile:

Great work on getting the update out so quickly, thanks guys!!!


#6

Thank you for the feedback, it just looks that you were a little bit eager :slight_smile: and restarted too soon. You could wait for the Wi-Fi working again.

The first restart could hang there since the previous update but as everything works for now, we are happy.


#7

Updated both my omnias with updates.sh and waited a moment with a restart until I received an email.
All worked out great!

Thank you.


#8

I try update with updates.sh but get stucked here
http://puu.sh/y15MW/f0f927b421.png
after press return nothing happend :cry:


#9

Can you please send me (pm?) content of directory /etc/updater? I am specially interested in /etc/updater/hook_preupdate.

Also please run pstree -al in other console and send me that too.

Edit: Also potentially run it with updater.sh -e DBG or even updater.sh -e TRACE to see what it is doing.


#10

I send you PM thanks

EDIT:

I try restart my router again and it works! nothing changed on my side

also I received email about restart , all good


#11

Router is atm working as expected. Had to restart it connected via Ethernet-cabling as expected.
@cynerd: as I did not read that in the update-messages: is “update-approval needed”-option from now on implemented correctly? You proposed to have it in 3.8.4 - but maybe because of the urgentness of KRACK it has been thrown out?


#12

Yes. All changes planned originally for 3.8.4 are now pushed to next release because of KRACK.


#13

The same here - Turris 1.0 BTRFS … I have waited till today and restarted, after restart run manualy updater.sh … 3.8.4 on the board, but some errors …

updater.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1080 100 1080 0 0 12254 0 --:–:-- --:–:-- --:–:-- 12413
WARN:Script revision-specific not found, but ignoring its absence as requested
WARN:Script serial-specific not found, but ignoring its absence as requested
WARN:Requested package luci-i18n-ddns-en that is missing, ignoring as requested.
INFO:Queue install of hostapd-common/turris/2016-12-19-6
INFO:Queue install of kmod-cfg80211/turris/4.4.91+2017-01-31-4-d74822050ae7ec4a1e49c6af6d672787-0
INFO:Queue install of kmod-mac80211/turris/4.4.91+2017-01-31-4-d74822050ae7ec4a1e49c6af6d672787-0
INFO:Queue install of kmod-ath/turris/4.4.91+2017-01-31-4-d74822050ae7ec4a1e49c6af6d672787-0
INFO:Queue install of kmod-ath10k/turris/4.4.91+2017-01-31-4-d74822050ae7ec4a1e49c6af6d672787-0
INFO:Queue install of kmod-ath9k-common/turris/4.4.91+2017-01-31-4-d74822050ae7ec4a1e49c6af6d672787-0
INFO:Queue install of kmod-ath9k/turris/4.4.91+2017-01-31-4-d74822050ae7ec4a1e49c6af6d672787-0
INFO:Queue install of turris-version/turris/3.8.4
INFO:Queue install of wpad/turris/2016-12-19-6
Press return to continue, CTRL+C to abort

INFO:Executing preupdate hooks…
INFO:Subprogram output: /etc/updater/hook_preupdate/05_schnapps.sh:
Snapshot number 7 created

INFO:End of subprogram output
ERROR:Subprogram output: /etc/updater/hook_preupdate/05_schnapps.sh:
Mount is denied because the NTFS volume is already exclusively opened.
The volume may be already mounted, or another software may use it which
could be identified for example by the help of the ‘fuser’ command.

ERROR:End of subprogram output
WARN:Restart your device to apply all changes.
INFO:Executing reboot_required hooks…
INFO:Executed: /etc/updater/hook_reboot_required/50-create-notification.sh
INFO:Executing postupdate hooks…
INFO:Subprogram output: /etc/updater/hook_postupdate/05_schnapps.sh:
Snapshot number 8 created

INFO:End of subprogram output
ERROR:Subprogram output: /etc/updater/hook_postupdate/05_schnapps.sh:
Mount is denied because the NTFS volume is already exclusively opened.
The volume may be already mounted, or another software may use it which
could be identified for example by the help of the ‘fuser’ command.

ERROR:End of subprogram output
ERROR:Subprogram output: /etc/updater/hook_postupdate/10_kernel-install:
NTFS signature is missing.
Failed to mount ‘/dev/mmcblk0p1’: Invalid argument
The device ‘/dev/mmcblk0p1’ doesn’t seem to have a valid NTFS.
Maybe the wrong device is used? Or the whole disk instead of a
partition (e.g. /dev/sda, not /dev/sda1)? Or the other way around?

ERROR:End of subprogram output
Working on message: 1508412527-14802
Working on message: 1508412540-14963
Working on message: 1508412546-15027
warning: commands will be executed using /bin/sh
job 1 at Fri Oct 20 03:30:00 2017


#14

Very quick reaction as always. Thank you for that. I wish other manufacturers were as quick…

One question though:

Lede has an optional workaround on the AP side for KRACK.
Is that workaround also 3.8.4?


WPA Key Reinstallation Attack workaround
Name 	Default 	Description
wpa_disable_eapol_key_retries 	0 	Workaround for key reinstallation attacks (requires LEDE 17.01.4 or higher)

Complete description copied from upstream hostapd.conf example:

# Workaround for key reinstallation attacks
#
# This parameter can be used to disable retransmission of EAPOL-Key frames that
# are used to install keys (EAPOL-Key message 3/4 and group message 1/2). This
# is similar to setting wpa_group_update_count=1 and
# wpa_pairwise_update_count=1, but with no impact to message 1/4 and with
# extended timeout on the response to avoid causing issues with stations that
# may use aggressive power saving have very long time in replying to the
# EAPOL-Key messages.
#
# This option can be used to work around key reinstallation attacks on the
# station (supplicant) side in cases those station devices cannot be updated
# for some reason. By removing the retransmissions the attacker cannot cause
# key reinstallation with a delayed frame transmission. This is related to the
# station side vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
# CVE-2017-13080, and CVE-2017-13081.
#
# This workaround might cause interoperability issues and reduced robustness of
# key negotiation especially in environments with heavy traffic load due to the
# number of attempts to perform the key exchange is reduced significantly. As
# such, this workaround is disabled by default (unless overridden in build
# configuration). To enable this, set the parameter to 1.
#wpa_disable_eapol_key_retries=1

#15

Hello, Interesting idea.
But your code is fixing only enterprise Wi-Fi.


#16

It seems it is!

I had a problem with 3.8.4, which was resolved by explicitly setting wpa_disable_eapol_key_retries to 0.


#17

FYI, Apple yesterday released a patch for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13: https://support.apple.com/en-us/HT208221

“Wi-Fi
Available for: macOS High Sierra 10.13, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13077: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
CVE-2017-13078: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven”


Major WPA2 vulnerability to be disclosed
#18

Two weeks after public disclosure? Not that bad…


#19

Although the macOS patch applies to all Mac computers, the equivalent iOS patch here:

Is limited only to a very specific set of devices:

"Wi-Fi

Available for: iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)

Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management."

so unless you have a quite new iPhone or iPad, your iOS device has not been patched yet.


#20

IIRC it’s generally not common to provide system updates for phones (or routers BTW) that are two years old already. Unless the practice changes, it will really bite lots of people one day…


#21

@vcunat that might be the practice on Android. The general practice for Apple is to provide security and OS updates for phones for 4-5 years. The iPhone 5S can still run the latest iOS (iOS 11.1) and it was introduced in September 2013, and the 5S got all the security fixes in 11.1 except for KRACK. It’s quite unusual for Apple to provide security fixes for only some supported hardware in a release and not others, and the more knowledgeable Apple users have already pointed it out. Hopefully Apple will fix it for the older devices as well, otherwise a large number of devices remain unfixed.