[ GLSA 201711-03 ] hostapd and wpa_supplicant

[GLSA]

Gentoo Linux Security Advisory

Title: hostapd and wpa_supplicant: Key Reinstallation (KRACK) attacks (GLSA 201711-03)
Severity: normal
Exploitable: local, remote
Date: 2017-11-10
Bug(s): #634436, #634438
ID: 201711-03

Synopsis

A flaw was discovered in the 4-way handshake in hostapd and
wpa_supplicant that allows attackers to conduct a Man in the Middle attack.


Background

wpa_supplicant is a WPA Supplicant with support for WPA and WPA2 (IEEE
802.11i / RSN). hostapd is a user space daemon for access point and
authentication servers.


Affected Packages

Package: net-wireless/hostapd
Vulnerable: < 2.6-r1
Unaffected: >= 2.6-r1
Architectures: All supported architectures

Package: net-wireless/wpa_supplicant
Vulnerable: < 2.6-r3
Unaffected: >= 2.6-r3
Architectures: All supported architectures


Description

WiFi Protected Access (WPA and WPA2) and it’s associated technologies
are all vulnerable to the KRACK attacks. Please review the referenced CVE
identifiers for details.


Impact

An attacker can carry out the KRACK attacks on a wireless network in
order to gain access to network clients. Once achieved, the attacker can
potentially harvest confidential information (e.g. HTTP/HTTPS), inject
malware, or perform a myriad of other attacks.


Workaround

There is no known workaround at this time.

Resolution

All hostapd users should upgrade to the latest version: