Last week the FreeBSD Security Team issued a notice regarding a WPA2 protocol vulnerability. Please see their message below to take the appropriate steps in keeping your FreeBSD system secure. UPDATE: A patch has been released in the follow up mailing list message.

Hash: SHA512

Dear FreeBSD community,

As many have already noticed, there are a few newly disclosed WPA2
protocol vulnerabilities that affects wpa_supplicant and hostapd which
also affects all supported FreeBSD releases:

  A vulnerability was found in how a number of implementations can be
  triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
  replaying a specific frame that is used to manage the keys.

  Such reinstallation of the encryption key can result in two different
  types of vulnerabilities: disabling replay protection and significantly
  reducing the security of encryption to the point of allowing frames to
  be decrypted or some parts of the keys to be determined by an attacker
  depending on which cipher is used.

We are actively working on a patch for the base system to address these
issues. Current users who use Wi-Fi with WPA2 should use a wired
connection as a workaround, and we strongly recommend using end-to-end
encryption methods like HTTPS or SSH to better protect against this type
of attack.  Please note that a successful attack requires close
proximity to the victim systems.

Alternatively, we recommend wpa_supplicant users who are concerned with
the issue to install an updated version from the ports/packages
collection (version 2.6_2 or later).  It can be installed via ports

  portsnap fetch update
  cd /usr/ports/security/wpa_supplicant
  make clean; make all deinstall install clean;

Change /etc/rc.conf to make use of the port/package version by adding:


And restart the Wi-Fi network interfaces or reboot the system.

Additional information about this remediation will be released as
SA-17:07 once it becomes available.

For more information about the vulnerabilities, please see the following
online resources:

The FreeBSD Security Team

Original announcement:

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Restart the Wi-Fi network interfaces/hostapd or reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Restart the Wi-Fi network interfaces/hostapd or reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch
# fetch
# gpg --verify wpa-11.patch.asc

[FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE]
# fetch
# fetch
# gpg --verify wpa-10.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:>.

Restart the applicable daemons, or reboot the system.

UPDATE [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-17:07.wpa [REVISED]: