Last week the FreeBSD Security Team issued a notice regarding a WPA2 protocol vulnerability. Please see their message below to take the appropriate steps in keeping your FreeBSD system secure. UPDATE: A patch has been released in the follow up mailing list message.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear FreeBSD community, As many have already noticed, there are a few newly disclosed WPA2 protocol vulnerabilities that affects wpa_supplicant and hostapd which also affects all supported FreeBSD releases: A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used. We are actively working on a patch for the base system to address these issues. Current users who use Wi-Fi with WPA2 should use a wired connection as a workaround, and we strongly recommend using end-to-end encryption methods like HTTPS or SSH to better protect against this type of attack. Please note that a successful attack requires close proximity to the victim systems. Alternatively, we recommend wpa_supplicant users who are concerned with the issue to install an updated version from the ports/packages collection (version 2.6_2 or later). It can be installed via ports with: portsnap fetch update cd /usr/ports/security/wpa_supplicant make clean; make all deinstall install clean; Change /etc/rc.conf to make use of the port/package version by adding: wpa_supplicant_program="/usr/local/sbin/wpa_supplicant" And restart the Wi-Fi network interfaces or reboot the system. Additional information about this remediation will be released as SA-17:07 once it becomes available. For more information about the vulnerabilities, please see the following online resources: https://www.krackattacks.com/ https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt Sincerely, The FreeBSD Security Team
Original announcement: https://lists.freebsd.org/pipermail/freebsd-announce/2017-October/001805.html
Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart the Wi-Fi network interfaces/hostapd or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart the Wi-Fi network interfaces/hostapd or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE] # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc # gpg --verify wpa-11.patch.asc [FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE] # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc # gpg --verify wpa-10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system.
UPDATE [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-17:07.wpa [REVISED]: https://lists.freebsd.org/pipermail/freebsd-announce/2017-October/001807.html