ASUS Krackattack patch?

[sfx2000]

bridge mode would also be at risk, as the device would be a client to the AP - and perhaps a particularly tasty target as bridge would potentially be multiple clients behind it.

 

[MacG32]

Microsoft has already fixed the Wi-Fi attack vulnerability

 

[TreeMan]

I'm a little confused by all this, and by all the conflicting reports of the severity of this vulnerability, but I have two main questions I'd like to see definitive answers for:

First, will the 380 branch of Asuswrt-Merlin be updated with the fix for this vulnerability, and if so, any idea when that might happen? None of the Asus routers in my family are the RT-AC86U so at this point the 382.1 builds aren't applicable.

Second, until such time as a build with the fix is released, are there any settings that must be set a in a particular way to minimize exposure? In these cases the routers are being used simply as routers (ethernet cable from the WAN port to the cable modem, so no wireless connection from the routers to any other router).

 

[joegreat]

I'm a little confused by all this, and by all the conflicting reports of the severity of this vulnerability, but I have two main questions...

The answer is simple: Update your clients first (it's mainly a client problem) - then wait for the update for your router.

Remember: Your client devices will also connect to other Routers/APs which might not be updated at all!

 

[schwasskin]

This is a client issue. You have t patch clients. if your running your router as a WiRELESS CLIENT to another device, then your router is vulnerable. If not, patch your CLIENTS ie windows ubuntu android etc. when routers and networking devices get patched for this vuln it is to protect them when running as a wpa2 wifi CLIENNNNNT!

Sent from my Moto G (4) using Tapatalk

 

[TreeMan]

The answer is simple: Update your clients first (it's mainly a client problem) - then wait for the update for your router.

Remember: Your client devices will also connect to other Routers/APs which might not be updated at all!

You did not answer either of my questions. I realize that it is mainly a client problem but still it appears that there is at least some value to updating the router firmware as well. And beyond that, with most wi-fi clients there is nothing you can do because you have to wait for the manufacturer or the maintainer of the operating system to release a fix, and then (in the case of phones) for the carrier to push the fix. Neither Apple nor Google seem to be in any huge rush to patch this hole (Ubuntu, Debian and Microsoft, on the other hand, seem to have been quicker to address this). So in the meantime, the only thing we can do to try and at least be a little proactive is to make sure our routers have updated firmware, and I just wanted to know when that might be available, and what settings on the router should be set in a certain specific way until then.

 

[thelonelycoder]

You did not answer either of my questions. I realize that it is mainly a client problem but still it appears that there is at least some value to updating the router firmware as well. And beyond that, with most wi-fi clients there is nothing you can do because you have to wait for the manufacturer or the maintainer of the operating system to release a fix, and then (in the case of phones) for the carrier to push the fix. Neither Apple nor Google seem to be in any huge rush to patch this hole (Ubuntu, Debian and Microsoft, on the other hand, seem to have been quicker to address this). So in the meantime, the only thing we can do to try and at least be a little proactive is to make sure our routers have updated firmware, and I just wanted to know when that might be available, and what settings on the router should be set in a certain specific way until then.

You were given the answer.
The clients are the problem, unless you run your router in Repeater or Media bridge mode. Access point (AP) or Wireless router mode (standard settingg of your router) are NOT affected.

 

[TreeMan]

You were given the answer.

NO, I was NOT given the answer to THE QUESTIONS I ASKED.

You gave me the answers to the questions YOU thought I SHOULD be asking. But I already knew all that.

The questions I ASKED were these:

"First, will the 380 branch of Asuswrt-Merlin be updated with the fix for this vulnerability, and if so, any idea when that might happen? None of the Asus routers in my family are the RT-AC86U so at this point the 382.1 builds aren't applicable."

Unless you are the Asuswrt-Merlin developer, which you are not, you have no idea how to answer that question.

"Second, until such time as a build with the fix is released, are there any settings that must be set a in a particular way to minimize exposure? In these cases the routers are being used simply as routers (ethernet cable from the WAN port to the cable modem, so no wireless connection from the routers to any other router)."

What I am probably really asking here is if "802.11r" is enabled or disabled by some particular setting. It is apparent that you don't know the answer to that either.

You can try to tell me that you answered my questions until you fingers are bloody from typing it, but so far, you haven't. For my first question, you don't know the answer, and for my second question, it's pretty clear you don't know that either. Are you the "resident know-it-all" of this forum? Seems like there's at least one in every technical forum. They have a high post count, but most of their replies are of very low quality.

 

[gLWxSJeSsEA]

Arguably the most interesting vulnerability from an attacker's point of view is the FT handover issue that is entirely an access point issue. Probably not a concern for home users though, since your data probably isn't interesting enough to pull for decrypting later. But the ability to get tons of data without any real chance of being detected even with the most sophisticated intrusion detection is probably what the bad guys are most interested in.

 

[thelonelycoder]

NO, I was NOT given the answer to THE QUESTIONS I ASKED.

You gave me the answers to the questions YOU thought I SHOULD be asking. But I already knew all that.

The questions I ASKED were these:

"First, will the 380 branch of Asuswrt-Merlin be updated with the fix for this vulnerability, and if so, any idea when that might happen? None of the Asus routers in my family are the RT-AC86U so at this point the 382.1 builds aren't applicable."

Unless you are the Asuswrt-Merlin developer, which you are not, you have no idea how to answer that question.

"Second, until such time as a build with the fix is released, are there any settings that must be set a in a particular way to minimize exposure? In these cases the routers are being used simply as routers (ethernet cable from the WAN port to the cable modem, so no wireless connection from the routers to any other router)."

What I am probably really asking here is if "802.11r" is enabled or disabled by some particular setting. It is apparent that you don't know the answer to that either.

You can try to tell me that you answered my questions until you fingers are bloody from typing it, but so far, you haven't. For my first question, you don't know the answer, and for my second question, it's pretty clear you don't know that either. Are you the "resident know-it-all" of this forum? Seems like there's at least one in every technical forum. They have a high post count, but most of their replies are of very low quality.

@joegreat has given you the answer to this as well: Wait for the update.
And "the update" will be available for 380.xx routers, if and when Asus gets the wireless chip manufacturers to release code.

And the only wireless setting you can change to eliminate the risk of an eavesdropper is to deactivate all wireless communication over WiFi.

And since I'm not the developer, don't take my word for it.

And this concludes my involvement here. I'll wait until this madness has all blown over.
In about a day or two, a week at most.

 

[ColinTaylor]

Unless you are the Asuswrt-Merlin developer, which you are not, you have no idea how to answer that question.

Your questions were already answered by the developer earlier in this thread. Particularly here and here.

 

[RMerlin]

First, will the 380 branch of Asuswrt-Merlin be updated with the fix for this vulnerability, and if so, any idea when that might happen?

I don't know, because the fix has to come from Broadcom, not from me.

In these cases the routers are being used simply as routers

Nothing that has to be done on the router. On the client side, you have to update your clients with fixes if they need one. I'm not aware of any mitigation method.

 

[RMerlin]

Arguably the most interesting vulnerability from an attacker's point of view is the FT handover issue that is entirely an access point issue. Probably not a concern for home users though, since your data probably isn't interesting enough to pull for decrypting later. But the ability to get tons of data without any real chance of being detected even with the most sophisticated intrusion detection is probably what the bad guys are most interested in.

Asuswrt does not support 802.11r.

 

[schwasskin]

RMerlin,
You have answered my question in full. Feel free to close the thread. And thank you for the timely response and support!

Sent from my Moto G (4) using Tapatalk

 

[Jack Yaz]

NO, I was NOT given the answer to THE QUESTIONS I ASKED.

You gave me the answers to the questions YOU thought I SHOULD be asking. But I already knew all that.

The questions I ASKED were these:

"First, will the 380 branch of Asuswrt-Merlin be updated with the fix for this vulnerability, and if so, any idea when that might happen? None of the Asus routers in my family are the RT-AC86U so at this point the 382.1 builds aren't applicable."

Unless you are the Asuswrt-Merlin developer, which you are not, you have no idea how to answer that question.

"Second, until such time as a build with the fix is released, are there any settings that must be set a in a particular way to minimize exposure? In these cases the routers are being used simply as routers (ethernet cable from the WAN port to the cable modem, so no wireless connection from the routers to any other router)."

What I am probably really asking here is if "802.11r" is enabled or disabled by some particular setting. It is apparent that you don't know the answer to that either.

You can try to tell me that you answered my questions until you fingers are bloody from typing it, but so far, you haven't. For my first question, you don't know the answer, and for my second question, it's pretty clear you don't know that either. Are you the "resident know-it-all" of this forum? Seems like there's at least one in every technical forum. They have a high post count, but most of their replies are of very low quality.

There's always at least one new forum member that thinks they're entitled too....

You were given the answers by several of the resident experts/members here, but because you seem to not like the answer (i.e. Router mode is not affected, rather its the clients that need patching), you chose to throw your toys out of the pram. Yes routers in a client mode require a patch, but I would think the majority of the people concerned here run their Asus in Router mode.

 

[TreeMan]

There's always at least one new forum member that thinks they're entitled too....

Silly me, I think that when you ask a question in a forum, people should answer the question you actually asked, not go off on some irrelevant tangent. If you ask me "What is the capital of the United States?" and I respond by telling you the circumference of the moon, I have not helped you in any way. I have come to HATE "resident experts" in forums for just this reason; they always want to try to make thenselves look SO smart by trying to answer nearly every question, even if they have no idea what the answer is and can't provide any useful information. Unfortunately for such people, I am not in the slightest impressed by their high post count, or even by the fact that they may have actually helped someone in the past.

Yes, I DO very much feel entitled to have the question I actually asked answered, OR if someone does not know the answer, doesn't feel like helping, hates my guts or whatever, then just keep your damn fingers off the keyboard and move on to the next post. Nobody's forcing anyone to post an answer to anything, but when you post an irrelevant answer it just makes you look like a pompous butt that gets his jollies by running up his post count (ESPECIALLY when you then come back a few posts later and try to claim you answered the question).

 

[TreeMan]

I don't know, because the fix has to come from Broadcom, not from me.

Okay, got it. I just wonder how the DD-WRT people are implementing the fix then. I am not certain whether their fix works with Broadcom-based routers, so I will leave it at that.

Nothing that has to be done on the router. On the client side, you have to update your clients with fixes if they need one. I'm not aware of any mitigation method.

Thank you for that clarification, I appreciate it.

 

[thelonelycoder]

(ESPECIALLY when you then come back a few posts later and try to claim you answered the question)

...

 

[ColinTaylor]

I just wonder how the DD-WRT people are implementing the fix then. I am not certain whether their fix works with Broadcom-based routers,

Again, this was already answered by the developer in post #12:

The wpa_supplicant you've seen patched in those other firmware projects is not used by Broadcom's router mode, they use a proprietary nas executable for WPA2 management.

 

[domjant]

Hello,
I hope I raise my question in the proper place, as I not found any answer on the https://asuswrt.lostrealm.ca/ homepage, what is: Does the Merlin firmware already patched against KRACK (Key Reinstallation Attacks) what is a recently discovered serious weaknesses in WPA2 protocol?
Details of KRACK can be found on https://www.krackattacks.com/ webpage.
Also I would like to know, if Merlin firmware patched already, what release include the fix? If not yet, what is the expected date for it?
Is it depend on ASUS released firmware, or can it be fixed within Merlin firmware separately?
Thank you in advance!