openSUSE Security Update : hostapd (openSUSE-2017-1201) (KRACK)

Medium Nessus Plugin ID 104237

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for hostapd fixes the following issues :

- Fix KRACK attacks on the AP side (boo#1063479, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088) :

Hostap was updated to upstream release 2.6

- fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5314)

- fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476)

- extended channel switch support for VHT bandwidth changes

- added support for configuring new ANQP-elements with anqp_elem=<InfoID>:<hexdump of payload>

- fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior)

- added no_probe_resp_if_max_sta=1 parameter to disable Probe Response frame sending for not-associated STAs if max_num_sta limit has been reached

- added option (-S as command line argument) to request all interfaces to be started at the same time

- modified rts_threshold and fragm_threshold configuration parameters to allow -1 to be used to disable RTS/fragmentation

- EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer)

- fixed EAPOL reauthentication after FT protocol run

- fixed FTIE generation for 4-way handshake after FT protocol run

- fixed and improved various FST operations

- TLS server

- support SHA384 and SHA512 hashes

- support TLS v1.2 signature algorithm with SHA384 and SHA512

- support PKCS #5 v2.0 PBES2

- support PKCS #5 with PKCS #12 style key decryption

- minimal support for PKCS #12

- support OCSP stapling (including ocsp_multi)

- added support for OpenSSL 1.1 API changes

- drop support for OpenSSL 0.9.8

- drop support for OpenSSL 1.0.0

- EAP-PEAP: support fast-connect crypto binding

- RADIUS

- fix Called-Station-Id to not escape SSID

- add Event-Timestamp to all Accounting-Request packets

- add Acct-Session-Id to Accounting-On/Off

- add Acct-Multi-Session-Id ton Access-Request packets

- add Service-Type (= Frames)

- allow server to provide PSK instead of passphrase for WPA-PSK Tunnel_password case

- update full message for interim accounting updates

- add Acct-Delay-Time into Accounting messages

- add require_message_authenticator configuration option to require CoA/Disconnect-Request packets to be authenticated

- started to postpone WNM-Notification frame sending by 100 ms so that the STA has some more time to configure the key before this frame is received after the 4-way handshake

- VHT: added interoperability workaround for 80+80 and 160 MHz channels

- extended VLAN support (per-STA vif, etc.)

- fixed PMKID derivation with SAE

- nl80211

- added support for full station state operations

- fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames

- added initial MBO support; number of extensions to WNM BSS Transition Management

- added initial functionality for location related operations

- added assocresp_elements parameter to allow vendor specific elements to be added into (Re)Association Response frames

- improved Public Action frame addressing

- use Address 3 = wildcard BSSID in GAS response if a query from an unassociated STA used that address

- fix TX status processing for Address 3 = wildcard BSSID

- add gas_address3 configuration parameter to control Address 3 behavior

- added command line parameter -i to override interface parameter in hostapd.conf

- added command completion support to hostapd_cli

- added passive client taxonomy determination (CONFIG_TAXONOMY=y compile option and 'SIGNATURE <addr>' control interface command)

- number of small fixes

hostapd was updated to upstream release 2.5

- (CVE-2015-1863) is fixed in upstream release 2.5

- fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141 boo#930077)

- fixed WMM Action frame parser [http://w1.fi/security/2015-3/] (CVE-2015-4142 boo#930078)

- fixed EAP-pwd server missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, boo#930079)

- fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/]

- nl80211 :

- fixed vendor command handling to check OUI properly

- fixed hlr_auc_gw build with OpenSSL

- hlr_auc_gw: allow Milenage RES length to be reduced

- disable HT for a station that does not support WMM/QoS

- added support for hashed password (NtHash) in EAP-pwd server

- fixed and extended dynamic VLAN cases

- added EAP-EKE server support for deriving Session-Id

- set Acct-Session-Id to a random value to make it more likely to be unique even if the device does not have a proper clock

- added more 2.4 GHz channels for 20/40 MHz HT co-ex scan

- modified SAE routines to be more robust and PWE generation to be stronger against timing attacks

- added support for Brainpool Elliptic Curves with SAE

- increases maximum value accepted for cwmin/cwmax

- added support for CCMP-256 and GCMP-256 as group ciphers with FT

- added Fast Session Transfer (FST) module

- removed optional fields from RSNE when using FT with PMF (workaround for interoperability issues with iOS 8.4)

- added EAP server support for TLS session resumption

- fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version)

- added mechanism to track unconnected stations and do minimal band steering

- number of small fixes

Solution

Update the affected hostapd packages.

See Also

http://w1.fi/security/2015-2/]

http://w1.fi/security/2015-3/]

http://w1.fi/security/2015-4/]

http://w1.fi/security/2015-5/]

http://w1.fi/security/2015-7/]

http://w1.fi/security/2016-1/]

https://bugzilla.opensuse.org/show_bug.cgi?id=1063479

https://bugzilla.opensuse.org/show_bug.cgi?id=930077

https://bugzilla.opensuse.org/show_bug.cgi?id=930078

https://bugzilla.opensuse.org/show_bug.cgi?id=930079

Plugin Details

Severity: Medium

ID: 104237

File Name: openSUSE-2017-1201.nasl

Version: Revision: 3.6

Type: local

Agent: unix

Published: 2017/10/30

Updated: 2017/12/21

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5.8

Vector: CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:hostapd, p-cpe:/a:novell:opensuse:hostapd-debuginfo, p-cpe:/a:novell:opensuse:hostapd-debugsource, cpe:/o:novell:opensuse:42.2, cpe:/o:novell:opensuse:42.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2017/10/27

Reference Information

CVE: CVE-2015-1863, CVE-2015-4141, CVE-2015-4142, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-5314, CVE-2016-4476, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088

IAVA: 2017-A-0310