The problem of wpa2 (KRACKs)

sankyo.toshio · October 31, 2019, 4:01am

Hi,
I’m using balenaOS 2.32.0+rev1 and device type is Raspberry Pi 3.
I was pointed out by security research company that the version of wpa2_supplicant of the device is a version that is affected by KRACKs (https://www.krackattacks.com/)

The version of wpa_supplicant of my balena OS is v2.6 which is possibility to be attacked.
I’m afraid of this problem.

I found a pull request (https://github.com/balena-os/meta-balena/pull/885) which probably related to this issue, but this doesn’t seem to merge.
Are there any plans to update wpa_supplicant or any other plans?

Best regards.

telphan · October 31, 2019, 8:17am

Hi,
If the PR you pointed at is meant to fix/mitigate this vulnerability, those patches have been applied upstream and merged into balenaOS a long time ago, I believe since v2.4.0.
Are there other patches you are aware of that we do not apply?
Kind regards,
Theodor

afitzek · October 31, 2019, 12:20pm

Hi,
To follow up on this. We recently merged this PR (https://github.com/balena-os/meta-balena/pull/1714), which updates wpa_supplicant to v2.9. So this will appear in one of the next balenaOS versions.
Best regards,