Krack Vulnerability!

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Goto page Previous  1, 2, 3
Author Message
spuriousoffspring
DD-WRT Guru


Joined: 05 Apr 2017
Posts: 982
Location: South of Heaven, USA

PostPosted: Tue Oct 17, 2017 20:49    Post subject: Reply with quote
Quote:
Is it possible for you to include the 4.4 kernel in your wrt1900ac v1 builds. I suspect that would correct most of the reboot issues.
--bill


YES PLEASE!!! I would love to have the new features of the latest builds while also enjoying the stability of the previous Kernel.

Thank you very much for asking, Bill. For all us WRT1900AC v1 owners.

_________________
DD-WRT Installation & Setup TUTORIAL
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311117

WRT32X DD-WRT Installation Procedure
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=315569

IPVanish OpenVPN Client Setup TUTORIAL
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=308565

FIRMWARE: OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33)
MODEM: ARRIS SURFBoard SB8200
ROUTER: Linksys WRT32X
USB NAS: Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
Sponsor
spuriousoffspring
DD-WRT Guru


Joined: 05 Apr 2017
Posts: 982
Location: South of Heaven, USA

PostPosted: Wed Oct 18, 2017 0:43    Post subject: Reply with quote
If you have a WRT1900AC v1 please see:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311737

_________________
DD-WRT Installation & Setup TUTORIAL
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311117

WRT32X DD-WRT Installation Procedure
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=315569

IPVanish OpenVPN Client Setup TUTORIAL
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=308565

FIRMWARE: OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33)
MODEM: ARRIS SURFBoard SB8200
ROUTER: Linksys WRT32X
USB NAS: Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
Kadigan
DD-WRT Novice


Joined: 19 May 2017
Posts: 12

PostPosted: Wed Oct 18, 2017 2:30    Post subject: Reply with quote
Just in case anyone has any doubts:

"KRACK" targets three key exchanges - the PTK exchange, the GTK exchange, and the FT handoff.

The PTK and GTK attacks are aimed at clients.

The FT attack is aimed at the router, and happens when you roam under 802.11r. If you don't have 802.11r, you're good. If you do, update it. If you can't, disable it. Otherwise, you're vulnerable - probably. Remember - you don't have to run a BSS to be vulnerable, the attacker can (and likely will) bring their own device and force a roam on your Client(s), and this particular key reinstallation, as opposed to the others, can be repeated indefinitely. So yes, in specific scenarios the router needs an update.

As to whether you're safe if you update one or the other (but not both): you're safe from the attacks that targeted that side. The other side, if it was vulnerable, still is.

Particularly so if you use GCMP, because attacking GCMP on either side allows forging bidirectional messages, essentially giving the attacker exactly the same privileges as the Client (otherwise you can only forge unidirectional messages (TKIP) or can only hijack streams (CCMP)).

Hope this clears any remaining doubts.

Cheers
Cantenna
DD-WRT User


Joined: 28 Feb 2011
Posts: 125

PostPosted: Wed Oct 18, 2017 3:34    Post subject: Reply with quote
Kadigan wrote:
Just in case anyone has any doubts:

"KRACK" targets three key exchanges - the PTK exchange, the GTK exchange, and the FT handoff.

The PTK and GTK attacks are aimed at clients.

The FT attack is aimed at the router, and happens when you roam under 802.11r. If you don't have 802.11r, you're good. If you do, update it. If you can't, disable it. Otherwise, you're vulnerable - probably. Remember - you don't have to run a BSS to be vulnerable, the attacker can (and likely will) bring their own device and force a roam on your Client(s), and this particular key reinstallation, as opposed to the others, can be repeated indefinitely. So yes, in specific scenarios the router needs an update.

As to whether you're safe if you update one or the other (but not both): you're safe from the attacks that targeted that side. The other side, if it was vulnerable, still is.

Particularly so if you use GCMP, because attacking GCMP on either side allows forging bidirectional messages, essentially giving the attacker exactly the same privileges as the Client (otherwise you can only forge unidirectional messages (TKIP) or can only hijack streams (CCMP)).

Hope this clears any remaining doubts.

Cheers


Thanks for this.

I see sites recommending to use vpn until a fix is available; are they recommending the use of external vpn provider? Or is it enough to have clients in a home network connect to the ddwrt router that is running an openvpn server,
does that offer any additional protection or no extra protection because the server would be on the same network as a an intruder who used Crack to get access!

LOL, these damn intruders and their crack!!Smile
spuriousoffspring
DD-WRT Guru


Joined: 05 Apr 2017
Posts: 982
Location: South of Heaven, USA

PostPosted: Wed Oct 18, 2017 3:48    Post subject: Reply with quote
Someone may have already posted this link (didn’t check), but this article is by the person(s) who actually discovered the vulnerability. Much easier read.

https://www.krackattacks.com

_________________
DD-WRT Installation & Setup TUTORIAL
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311117

WRT32X DD-WRT Installation Procedure
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=315569

IPVanish OpenVPN Client Setup TUTORIAL
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=308565

FIRMWARE: OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33)
MODEM: ARRIS SURFBoard SB8200
ROUTER: Linksys WRT32X
USB NAS: Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 345

PostPosted: Sun Nov 26, 2017 17:01    Post subject: Reply with quote
Yemble wrote:
BrainSlayer wrote:
i see no significant report or log in this thread. thats the problem


r31924 was the last stable release of DD-WRT for the WRT1900AC v1. All later versions result in unexpected reboots after a random period of running. Sometimes hours, sometimes days.

This has been discussed here in numerous threads and by many users.

r31924 is solid on this router and never reboots spontaneously.

Those of us who still have a WRT1900AC v1, either run this version of DD-WRT, or have switched to LEDE.

The assumption, for some time now, is that this reboot issue will never get fixed.


I'm running version 1 with firmware 33772 and I haven't encountered any problems so far (up 5 days so far). It's configured as a client bridge, 5 GHz, VHT80, stats show connection rate with the wrt3200acm AP as 1170 Mb). kernel 4.9.62

As for protection against KRACK for any of my Marvell based routers go (wrt1900acs, wrt3200acm), I don't know if it has been done and I'm not aware of any tools to check to see if the routers are patched.
Goto page Previous  1, 2, 3 Display posts from previous:    Page 3 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum