Author Topic: KRACK WPA2 Vulnerability - are firmware updates available?  (Read 12246 times)

uhClem

  • Calf
  • *
  • Posts: 21
KRACK WPA2 Vulnerability - are firmware updates available?
« on: October 16, 2017, 09:33:49 AM »
I read this morning of the KRACK vulnerability which seems to exist in just about every WPA2 device.  Presumably, I need to update my router.  I see no mention of this here or on BuffaloTech.com main pages.  What is Buffalo doing about this problem?

Discoverer of vulnerability's web page on it:
https://www.krackattacks.com/

DD-WRT forums thread (no action yet?)
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311679&highlight=krack+wpa2

It is not clear to me if this is mostly a router or mostly a client problem or if the exploit works equally against both.  Make sure you are using secure protocols over WI-FI.  (HTTPS, e-mail over SSL encrypted protocols, etc.)

Note to Android 6 users:  The version is particularly vulnerable because the exploit can cause it to use a key of all zeros!
« Last Edit: October 16, 2017, 09:45:50 AM by uhClem »

buffalo_user_lol

  • Calf
  • *
  • Posts: 1
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #1 on: October 16, 2017, 09:46:57 AM »
Came here looking for this also. For more info:

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

This is a big deal, Buffalo needs to get on this. Everybody needs to get on this.

csgreenknight

  • Calf
  • *
  • Posts: 1
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #2 on: October 16, 2017, 11:15:11 AM »
Looking for an update as well.

xenophore

  • Calf
  • *
  • Posts: 1
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #3 on: October 16, 2017, 03:09:02 PM »
Here's a list of companies that have already supplied fixes: https://char.gd/blog/2017/wifi-has-been-broken-heres-the-companies-that-have-already-fixed-it

Buffalo is conspicuously absent.

ProFromGrover

  • Calf
  • *
  • Posts: 3
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #4 on: October 16, 2017, 05:26:33 PM »
I'm also very interested in updates to address KRACK. DD-WRT patches have been developed, but they must be rolled into the firmware and distributed ASAP.

kjhambrick

  • Calf
  • *
  • Posts: 1
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #5 on: October 18, 2017, 05:55:11 AM »
I also need an update for my WZR-D1800H Ver.1.99

Any Input from the Buffalo Folks ?

Thanks.

-- kjh


gijoecam

  • Calf
  • *
  • Posts: 1
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #6 on: October 18, 2017, 09:27:17 PM »
Add me to the list of people wondering about a firmware update for this issue...

ProFromGrover

  • Calf
  • *
  • Posts: 3
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #7 on: October 19, 2017, 10:19:49 AM »
I just found this in the warranty information for DD-WRT routers on the Buffalo website.

Open Source DD-WRT Routers are factory pre-loaded with the open source operating system, DD-WRT. All development, firmware updates, technical and configuration support will be provided by DD-WRT and the DD-WRT community. Buffalo Americas provides a limited hardware warranty that covers malfunctioning hardware. Hardware warranty support is available for 90 days from purchase via phone or via email for the entirety of the warranty period.

It looks like we're all on our own.  I don't think Buffalo is going to help. This is one of the reasons I bought the Buffalo routers and recommended them to customers, but that policy just changed for me.

Go to this page: http://dd-wrt.com/wiki/index.php/Supported_Devices#Buffalo
Find your model, then in the column on the far right side click the notes or installer version.
After that you're on your own.  I've done this before and it has always worked, but the instructions can be a little bizarre at times.

While researching, my question was will doing this actually address the KRACK vulnerability? So I'm passing along the next thing I found, the betas that have been released for DD-WRT, hopefully for your model. Anything after 10/10/2017 should have addressed this.
ftp://ftp.dd-wrt.com/betas/2017/

I would flash to the latest standard DD-WRT on the first page linked, then apply the beta patches.  But that's just me.

Good luck.
« Last Edit: October 19, 2017, 11:40:49 AM by ProFromGrover »

ProFromGrover

  • Calf
  • *
  • Posts: 3
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #8 on: October 19, 2017, 01:54:44 PM »
This is my last post on this subject I think.  :-)

FOR WHAT IT'S WORTH this is what I did. I went to the beta link that I posted above ftp://ftp.dd-wrt.com/betas/2017/

I downloaded the file named file named wzr-hp-ag300h-dd-wrt-webupgrade-MULTI.bin since that's the model I have.

I opened the admin | firmware page on my router.  I made a backup of the current settings.  I selected the file and clicked the Upgrade button.  It took 300 seconds, then rebooted and voila!

This is not to say these steps will work for you, but they worked for me.  I think most of the instructions on the DD-WRT Wiki are more of a reaction to worst-case scenarios or one-off situations.  Not to say that if you do the same thing I did it won't brick your router, which is always a possibility, so be ready in case that happens.  I went in with my eyes open, you'd better do the same.

ACGarland

  • Calf
  • *
  • Posts: 4
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #9 on: October 19, 2017, 05:46:51 PM »
Hello ProFromGlover,

Just a short note to say "thank you" for the links to the detailed information regarding applying updates from dd-wrt.com .  I read some of the precautionary warnings and I must say, it's a wonder anybody risks doing an upgrade--the number and seriousness of the warnings is pretty overwhelming. (And I'm an electrical engineer working in firmware/software for multiple decades.) 

I found your second report a great deal more encouraging!

Unfortunately, the router database page for my model (WHR-HP-G54) shows a latest stable build dated 2017-09-07 and I couldn't find any betas listed for that model.

So I guess I'll have to wait to see if anything newer than 2017-09-07 gets posted--or a beta added for the WHR-HP-G54.

My present firmware version is pretty ancient (model  WHR-HP-G54 Ver.1.40 (1.0.37-1.08-1.04)) so I definitely need to get with it and update mine--I'm still using WEP (although with MAC filtering) :-P  But if the update is risky/complex, I'd rather wait and do it once.

retry

  • Calf
  • *
  • Posts: 4
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #10 on: October 20, 2017, 01:26:24 AM »
I just want to help everybody out that wants a fix for this.  Yes, you need to go to dd wrt's community site to get new firmware.  First off, the website is completely out of date.  You want to go to the forums to look for the newest information.  Unfortunately it's just a complete mess to get that information.  But the firmware is reasonably well organized.  You just have to know where to look.  So here is where you go:

ftp://ftp.dd-wrt.com/betas/

Then drill down to the latest builds:

ftp://ftp.dd-wrt.com/betas/2017/10-17-2017-r33525/

This is the ONLY rev with the KRACK patch.  Find your router model.  For example, I own 2 WZR-600DHP's :
ftp://ftp.dd-wrt.com/betas/2017/10-17-2017-r33525/buffalo_wzr-600dhp/

In that dir, you will see TWO binaries. If you're here, you probably still have buffalo firmware installed.  So you'll want this one:
buffalo_to_ddwrt_webflash-MULTI.bin

The other one is what you will use after you've converted to the community builds (i.e when you flash future revisions).

You can try to upgrade via the web interface if you have buffalo branded DD-WRT.  I highly recommend you backup your config, take screenshots of settings too, and reset the config when you flash.  Don't be surprised if the flash takes 10 minutes.  Also don't be surprised if it fails.  I could never get a web upgrade to work right. 

In which case you have to use tftp, which is technically more complicated than the web based upgrade. Different routers have different tftp guides.  I will explain the pocedure for a WZR-600DHP which should cover fundamentals, but settings will be different for different hardware (i.e. IP addr to set, MAC addr to set, etc.)

This is going to be super confusing to novices, but what you want to do is unplug your router from the internet and pull the plug. Get an ethernet cable and attach it from your PC to a LAN port on the router (NOT the WAN port).  You will then set your PC's ethernet device to 192.168.11.2 with a 255.255.255.0 subnet mask (gateway can stay blank).  Then you will open a command prompt.

Then type the following command:

netsh interface ip add neighbors "Local Area Connection" 192.168.11.1 02-AA-BB-CC-DD-20

Again, the IP address and MAC address is what the WZR-600DHP wants.  Other routers will expect different things. You'll have to do your own research on that.

Now cd to whatever dir you saved the firmware binary in.  If you saved to your Desktop, then cd Desktop should take you there.  Now you will type (but do not press enter yet):

tftp -i 192.168.11.1 PUT <firmware file>

e.g.:
tftp -i 192.168.11.1 PUT buffalo_to_ddwrt_webflash-MULTI.bin

So that command is waiting to launch (you didn't press enter right?).  Now open a second command prompt.  Type the following command:
arp -a

You will see some IP addresses and MAC addresses in a list (or maybe nothing at all).  Just be ready to type that command over and over in a moment.

Now plug the router back in.  It will power up, and the TFTP window will open in around 10 seconds and last for 4 seconds.  While it's powering up, go back to the window with the arp -a command just repeatedly run the command until you see a line for 192.168.11.2 pop up with the MAC address we entered earlier: 02-AA-BB-CC-DD-20

When you see it, switch to the window with the tftp command line ready to go and press enter.  Wait for the transfer to complete.  You may have to disable your firewall if it doesn't work.  If you miss the window, or the transfer fails or times out,  power off the router and start over at the tftp line above.

If you see the result that the transfer was successful, then just be patient.  Give the router 10 minutes to flash and restart.  If all goes well you can change your ethernet adapter back to dynamic assignment and connect to your router via the web gui at http://192.168.1.1 .

Good luck.  I won't be monitoring this forum or offering any help.  Be prepared to waste hours if you brick your router.  If you have another way of connecting to the internet during all this, great.  If not make sure you've got all the documentation, firmware, etc. you need before you knock yourself offline. 

If you're smart like me (haha), you own two identical wifi routers and you rotate which is the slave (repeater) and which is the master (router) with every firmware upgrade, always upgrading the slave first, then promoting it to the master.  This way you never end up offline in case things go totally south (yes I've been in a bricked state for days before -- live and learn).

The WZR-600DHP is a fine router.  I've been happy with them.

Texturtle

  • Administrator
  • *****
  • Posts: 893
  • RAID is NOT a substitute for a good backup

hmrct

  • Calf
  • *
  • Posts: 2
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #12 on: October 20, 2017, 01:08:24 PM »
Glad to see Buffalo is *probably* going to issue a DD-WRT Professional firmware upgrade for the WZR-600DHP.  There are a number of reasons you might want to wait for the pro upgrade instead of replacing it with a community firmware upgrade.  In particular, there are two router features supported by the pro firmware that are not supported by the community firmware (don't have the list in front of me, but the DD-WRT wiki section for the WZR-600DHP is helpful in that regard): most of us probably don't use those features, but I hate giving up capabilities even if I'd never use them.

You also lose the Buffalo branding seen on the web-based administration pages (not necessarily an issue -- pointed reminder you're running a community firmware load instead of the pro firmware), and the ability to configure certain features via the web interface, i.e., you'll have to get familiar with the command-line interface.  I'd like to think that's not an issue for people who value having DD-WRT as an option, but I'm all about not violating the principal of least astonishment when it comes to upgrades.

One last observation...  As another poster mentioned, if you read through the instructions for flashing the community firmware and are paying attention, you will probably come away from the effort with the distinct impression your odds of success are essentially nil.  Logic says that has to be b.s. or people couldn't be enticed to try the community firmware loads.  HOWEVER, the advice to have a backup router available is a great idea.  Get the backup flashed and configured the way you want it, then swap it out with your current primary.  Minimal downtime, and you don't accidentally saw off the tree limb upon which you're sitting.

ACGarland

  • Calf
  • *
  • Posts: 4
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #13 on: October 20, 2017, 03:46:44 PM »
I concur: the number of dire warnings and "details" that one is expected to navigate on the dd-wrt.com website in order to update one's router seems over-the-top.  Many (most?) who might consider doing so will conclude its too risky or will require a ton of time.  Representing the upgrade process as something where people have to master all the intricacies of dozens of warnings and potential problems is simply not workable.  Most folks don't have the time, nor the expertise, to devote hours and hours to updating their firmware.

This has always been the Achilles heel of open source: some WONDERFUL apps and mind-blowing utilities (e.g., git), but sorting through the mountain of stale may-or-may-not-apply-in-your-case "documentation" to figure out what YOU need to do can almost make some packages unusable.  Aspects of the dd-wrt.com website seem that way.

In my case, I need to upgrade/update a Buffalo WHR-HP-G54 (two, purchased in 2007 and 2010) and have no idea whether they are considered so old that neither Buffalo nor dd-wrt.com will eventually have updates that deal with the KRACK WPA2 vulnerability for that particular platform.

retry

  • Calf
  • *
  • Posts: 4
Re: KRACK WPA2 Vulnerability - are firmware updates available?
« Reply #14 on: October 21, 2017, 01:29:07 PM »
Yes flashing router firmware is not the same thing as a software update. IMO it's a travesty of the hardware community that they don't maintain the software that runs their equipment.  Buffalo does show support for *some* of its older hardware, and that is laudable.  This is why I've been a loyal buffalo customer through 3 generations of router purchases (802.11g, 802.11n, dual-band 802.11n/ac).  That and the fact that when they do cut off support, their routers take DD-WRT already without having to go through extra steps like unlocking a bootloader.

I'll use a car analogy.  Some people can barely pump their own gas.  Some people can change their oil/swap their tires/replace spark plugs.  Some people can repair engine problems. Some people can completely mod a car. 

The point is, if you're not a technical computer user, if the command line frighten and confuses you, then do not attempt a TFTP upgrade.  It also means *if* you brick your router through the web gui, you cannot recover.  Honestly, it's just about following a series of steps without rushing through it and skipping something important.  Remember when we were kids in school and we got that assignment to read ALL the instructions carefully before you begin?  Then the last instruction is to disregard all the instructions and merely sign your name at the top? Did you pass that quiz? If not, then you will probably fail.

I've flashed every router I've ever owned.  I have bricked routers, screamed, punched things, etc, but I always ended up triumphant.  This is the nature of ALL engineering and technical work.

I am unaware of any features in the Buffalo branded dd-wrt firmware that aren't in the community builds.  The community builds have moved on so much and added features.  My wifi is infinitely more stable on this latest community build than it was on the last buffalo build. 

BTW, the dnsmasq vulnerability was never patched by buffalo either.
http://www.itsecdb.com/oval/definition/oval/com.redhat.rhsa/def/20172836/RHSA-2017-2836-dnsmasq-security-update-Critical-.html

If you *are* still using the buffalo firmware, you ought to disable dnsmasq.

The fact of the matter is, no hardware vendor is really doing a good enough job keeping their products up to date and safe.  Sure Buffalo is better than most of the other router vendors, but that's not really saying much.  A router is just a purpose specific server.  Servers get software updates AS THEY ARE needed.  If you run linux systems, security patches can come at any time, and are almost always painless to install. 

Phones are a great example of a purpose specific computer that is actually nothing more than a server (always on/always connected to the internet with at least one exposed service) but almost never get timely updates.  There is only one way I know to remedy that: own an android phone and install LineageOS or some other community driven project based on AOSP.  I flash a new ROM onto my phone weekly in a few minutes.  It is painless and effective.

In my experience with DD-WRT, they rely on the community to QA builds, so a new revision can be really buggy and unstable.  I only flash when something serious comes along like KRACK or the dnsmasq flaws.  It takes effort to pay attention to what is happening with software. But you know what? You ALL rely on this technology everyday for very important things.  You SHOULD be paying attention.  Or you can be like the ignorant masses and have your equipment become part of some 100000 unit strong botnet, causing DDOSes and ransomware.  Consider it civic duty if you will.