On 18/10/2017 19:03, Henrique de Moraes Holschuh wrote:
On Mon, Oct 16, 2017, at 14:49, Alexander V. Makartsev wrote:That is one smoking fast update release. Demo works in perfect environment, but I wonder if there are some settings on AP that help to prevent successfulYes, there is. The AP may refuse to ever resent the third packet of the 4-way handshake if it is lost. This causes slowdowns on association in noisy/lossy environments, but safeguards the session key. Newest openwrt and LEDE and hostapd/WPA git trees have a manual setting that can do this. It is not on any release yet, but might be available in nightly build images or the updated packages with the wpa/hostapd binaries.
[...] Hi,17.01.4 just released [2] with fixed wpa and possibility to activate an AP side workaround. It is just a mitigation really, but should in practice impair an exploit. It is OFF by default.
Quote: "an optional AP-side workaround was introduced in hostapd to complicate these attacks, slowing them down. Please note that this does not fully protect you from them, especially when running older versions of wpa_supplicant vulnerable to CVE-2017-13086, which the workaround does not address. As this workaround can cause interoperability issues and reduced robustness of key negotiation, this workaround is disabled by default." Option in hostapd.sh [1] is: wpa_disable_eapol_key_retries[1] https://git.lede-project.org/?p=source.git;a=commitdiff;h=d501786ff25684208d22b7c93ce60c194327c771
[2] https://downloads.lede-project.org/releases/17.01.4/targets/