dd-wrt patched against severe flaws in WPA2 / KRACK attack

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Author Message
mattlward
DD-WRT Novice


Joined: 28 Sep 2006
Posts: 33

PostPosted: Mon Oct 16, 2017 17:33    Post subject: So, normal user here... Reply with quote
Can I patch my router and access points or will they need to be 30/30/30'ed and reloaded?

I am running TP-Link and Dlink DIR-625's.

Thanks
Sponsor
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1555
Location: Zwolle

PostPosted: Mon Oct 16, 2017 17:59    Post subject: Re: So, normal user here... Reply with quote
mattlward wrote:
Can I patch my router and access points or will they need to be 30/30/30'ed and reloaded?

I am running TP-Link and Dlink DIR-625's.

Thanks

First, wait for Brainslayer or Kong to compile a suitable build, then if you have a Broadcom device, it does not need 30/30/30 after installing the initial DD-WRT build (it does need it if it is new to DD-WRT).

_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


mattlward
DD-WRT Novice


Joined: 28 Sep 2006
Posts: 33

PostPosted: Mon Oct 16, 2017 18:19    Post subject: Thanks... Reply with quote
I am a dd-wrt user, not power user and I was not sure. I have all 3 running stable builds and they are very reliable with fairly large configs.

How does notice go out about a fix like this? Is there a specific place I should look, regularly?
flakie
DD-WRT User


Joined: 23 Sep 2017
Posts: 229
Location: Swindon, UK

PostPosted: Mon Oct 16, 2017 18:23    Post subject: Re: Thanks... Reply with quote
mattlward wrote:
I am a dd-wrt user, not power user and I was not sure. I have all 3 running stable builds and they are very reliable with fairly large configs.

How does notice go out about a fix like this? Is there a specific place I should look, regularly?


Look here: ftp://ftp.dd-wrt.com/betas/2017/

Anything newer than 10/10/2017 should contain the fix.

Then you have to find the folder for your device.

_________________
Router Model: Netgear R8000
Firmware: DD-WRT v3.0-r41813 std (12/29/19)
Modem: Super Hub 3.0
ISP: Virgin Media 350/35 Mbps

mattlward
DD-WRT Novice


Joined: 28 Sep 2006
Posts: 33

PostPosted: Mon Oct 16, 2017 18:23    Post subject: Mispost... Reply with quote
My Dlinks are DIR-825's... Teach me think and type, please.
mattlward
DD-WRT Novice


Joined: 28 Sep 2006
Posts: 33

PostPosted: Mon Oct 16, 2017 18:29    Post subject: Thanks for the reply, hope this is my last question... Reply with quote
I will go ahead and upgrade to 10-10. But, all three of my devices are Atheros... so can I do inplace upgrades or do I need to start over?
Newbrain
DD-WRT User


Joined: 28 Dec 2013
Posts: 171

PostPosted: Mon Oct 16, 2017 19:50    Post subject: Don't disable WPA2 Reply with quote
mojo-chan wrote:
Further information to be posted here:

https://www.krackattacks.com/

Seems like for now the only option is to disable WPA2 Personal and maybe use WPA2 Enterprise.


WPA2 is still the best we have, and if you're using AES, it's "just" a lack of confidentiality in that some packets can be decrypted.
Treat every wireless network as hostile (as always) and encrypt all communications like everybody is watching.

/Newbrain
bluezp
DD-WRT Novice


Joined: 19 Apr 2014
Posts: 2

PostPosted: Mon Oct 16, 2017 20:36    Post subject: Reply with quote
Looks like Kong has new test builds out that presumably include the patch.

http://www.desipro.de/ddwrt/K3-AC-Arm/TEST/?C=M;O=D
Eazy1
DD-WRT Novice


Joined: 16 Oct 2017
Posts: 1

PostPosted: Mon Oct 16, 2017 21:12    Post subject: Reply with quote
Hi!

I flashed my Netgear WNR3500L v2 some time ago, but I forgot how it works.
I want to flash the latest firmware from within the webadmin due to this security thing. Browsing the FTP for my router i only find a .chk. Don't I need a .bin to flash?

This is what i found:
ftp://ftp.dd-wrt.com/betas/2017/10-10-2017-r33492/netgear-wnr3500lv2/

The firmware I have now (as seen in webadmin):
DD-WRT v24-sp2 (03/25/13) mini - build 21061
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1555
Location: Zwolle

PostPosted: Mon Oct 16, 2017 22:25    Post subject: Reply with quote
Eazy1 wrote:
I flashed my Netgear WNR3500L v2 some time ago, but I forgot how it works.

First read the build topic, maybe the newest build produces a brick.

_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


patsun
DD-WRT Novice


Joined: 17 Oct 2017
Posts: 4

PostPosted: Tue Oct 17, 2017 1:46    Post subject: Krack CVE Reply with quote
Isn't it just an assumption that the latest dd-wrt build includes an update to address this vulnerability at this time?

Is there any changelog or post anywhere that states it has been patched?

Does anyone know if the wifi key renewal/handshaking/etc is even handled by dd-wrt, or is handled by the chip firmware? E.G:-

https://github.com/kvalo/ath10k-firmware/commit/150227fe6b677b526363dc030ee7d62ee266d87c
(In the case of ath10k routers).

I raise the question because of what BrainSlayer and tatsuya46 have said recently on this ticket (for a different key renewal issue):

http://svn.dd-wrt.com/ticket/5279#comment:46

If I read it correctly, they are suggesting all the rekeying and encryption stuff is done by the chip firmware (not dd-wrt)? (At the very least in the case of the hardware they are discussing on that ticket.)

It would be reassuring to hear from someone in the know regarding this issue - considering the scope and severity of this vulnerability.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1555
Location: Zwolle

PostPosted: Tue Oct 17, 2017 4:51    Post subject: Re: Krack CVE Reply with quote
patsun wrote:
Isn't it just an assumption that the latest dd-wrt build includes an update to address this vulnerability at this time?

No, it is not an assumption, it is patching the vulnerable binaries a short time after KRACK has gone public. If you understand programming, see http://svn.dd-wrt.com/changeset/33525

So far as the router goes, it is patched in Kong's latest test firmware. You also have to patch the clients (Apple and Microsoft already did this, Google needs a few weeks for Nexus, Pixel and AOSP). Lineage OS builds from 17 October or later are patched.

_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


patsun
DD-WRT Novice


Joined: 17 Oct 2017
Posts: 4

PostPosted: Tue Oct 17, 2017 7:43    Post subject: KRACK CVEs Reply with quote
Thanks slobodan, that's what I was looking for, feeling reassured now! Very Happy

http://svn.dd-wrt.com/ticket/6005#comment:2
Bib
DD-WRT Guru


Joined: 07 Jul 2008
Posts: 629
Location: France

PostPosted: Tue Oct 17, 2017 10:13    Post subject: Reply with quote
33525 is not the panacea because http://svn.dd-wrt.com/changeset/33528 exists (or http://svn.dd-wrt.com/changeset/33526)
Surely this is why 33525 is not in ftp.dd-wrt.com/betas/2017/ yet; big chance it will never be

I guess ATM BS needs a truck of cigarettes and a tanker of beer Smile

Am I right telling we just need to update only routers running in client or repeater mode (refraining to switch unpatched ones from AP to above modes) ?

[EDIT]: I said sillyness : 33525 is rolled out Smile Thank you BS

_________________
): FoReVeR nEwB Sad
apacheguy
DD-WRT User


Joined: 26 Jun 2008
Posts: 88

PostPosted: Tue Oct 17, 2017 15:04    Post subject: Reply with quote
Yeah, my understanding is that the vulnerability only affects a router operating in client/repeater mode. If it is just a straight AP then he patch is pretty useless.
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next Display posts from previous:    Page 2 of 8
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum