Public bug reported: See for reference: https://www.krackattacks.com/#ap-mitigations
Yes this is not a bug. However, it has been noted on ubuntu-devel that adding some features even to stable releases could be justified in *some* cases. First of paramount importance is that the fix introduces no regression. In this case this code is *only* used if a new parameter is set: wpa_disable_eapol_key_retries=1 if this parameter is missing, behaviour will not change. So any regression introduced will be caused by a deliberate admin decision, from where all responsability could be denied (use at your own risk, yadda, yadda...) Then is this parameter useful: it could be for the hundred of millions of Android Phone that are not yet patched (6.0 et upper) and will never be patched (about 50% of existing Android Phones). Please note that at least one wifi provider has already decided to provide this feature to help its users: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory /cisco-sa-20171016-wpa so this is something that leaders do :-) I have already patched my AP that runs Ubuntu 16 LTS (see attached patch against 2.4-0ubuntu6.2, I have used my AP for 3 days now with a Ubuntu and an Android client without problem) and I could try to provide a patch for Ubuntu 17. This kind of patch is really trivial anyway, since it's just a port of the upstream patch in hostapd: https://w1.fi/cgit/hostap/commit/?id=6f234c1e2ee1ede29f2412b7012b3345ed8e52d3 However I have a big problem. Any security patch (and this is a security enhancing patch at least) is only worth as much as it is *tested*. And I don't have the means to verify that mitigation is effective, as the vulnerability discoverer has not provided (for obvious reasons) public testing code for clients. I think that Ubuntu should have this code (or did you just distribute security patches without testing that they are effective ? that would not be very serious IMO). There is no chance that M. Vanhoef sends his code to any old dog on the internet, so Canonical is my only chance for a real test of this feature on an Ubuntu AP (short of rewriting the attack code myself, not an attractive proposition). If in fact you don't have the testing (well, attack) code feel free to dismiss my bug report as irrelevant. But if you have please consider the opportunity to add some goodwill to Ubuntu. Thanks. ** Affects: wpa (Ubuntu) Importance: Undecided Status: New ** Patch added: "Krackattacks mitigation for Ubuntu 16LTS test patch" https://bugs.launchpad.net/bugs/1730399/+attachment/5004651/+files/hostapd-krk-mitigation-u16LTS.patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to wpa in Ubuntu. https://bugs.launchpad.net/bugs/1730399 Title: Add krackattacks mitigation Status in wpa package in Ubuntu: New Bug description: See for reference: https://www.krackattacks.com/#ap-mitigations Yes this is not a bug. However, it has been noted on ubuntu-devel that adding some features even to stable releases could be justified in *some* cases. First of paramount importance is that the fix introduces no regression. In this case this code is *only* used if a new parameter is set: wpa_disable_eapol_key_retries=1 if this parameter is missing, behaviour will not change. So any regression introduced will be caused by a deliberate admin decision, from where all responsability could be denied (use at your own risk, yadda, yadda...) Then is this parameter useful: it could be for the hundred of millions of Android Phone that are not yet patched (6.0 et upper) and will never be patched (about 50% of existing Android Phones). Please note that at least one wifi provider has already decided to provide this feature to help its users: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory /cisco-sa-20171016-wpa so this is something that leaders do :-) I have already patched my AP that runs Ubuntu 16 LTS (see attached patch against 2.4-0ubuntu6.2, I have used my AP for 3 days now with a Ubuntu and an Android client without problem) and I could try to provide a patch for Ubuntu 17. This kind of patch is really trivial anyway, since it's just a port of the upstream patch in hostapd: https://w1.fi/cgit/hostap/commit/?id=6f234c1e2ee1ede29f2412b7012b3345ed8e52d3 However I have a big problem. Any security patch (and this is a security enhancing patch at least) is only worth as much as it is *tested*. And I don't have the means to verify that mitigation is effective, as the vulnerability discoverer has not provided (for obvious reasons) public testing code for clients. I think that Ubuntu should have this code (or did you just distribute security patches without testing that they are effective ? that would not be very serious IMO). There is no chance that M. Vanhoef sends his code to any old dog on the internet, so Canonical is my only chance for a real test of this feature on an Ubuntu AP (short of rewriting the attack code myself, not an attractive proposition). If in fact you don't have the testing (well, attack) code feel free to dismiss my bug report as irrelevant. But if you have please consider the opportunity to add some goodwill to Ubuntu. Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1730399/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
