Severe WPA2 Vulnerability

Seeing a lot on twitter about a severe flaw in WPA2 and that many router manufactures are being pressed to patch. Will GLI be patched?

Article here: Serious flaw in WPA2 protocol lets attackers intercept passwords and much more | Ars Technica

Some details (I believe more details will be shared today):

“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.”

 

The firmware is based on Lede/OpenWRT. Those are currently working on getting it fixed. I guess gl-inet will apply these same fixes on their firmware after those are ready.

Commit for Lede are already made:

• Master: https://git.lede-project.org/?p=source.git;a=commit;h=bbda81ce3077dfade2a43a39f772cfec2e82a9a5
• 17.01 branch: https://git.lede-project.org/?p=source.git;a=commit;h=63c17142c865618977a540485eea7a9487a58029

So it doubt it will take to long for gl-inet to get their firmware fixed.

 

Good to hear thanks @Groentjuh

Also, does anyone know if the auto update feature work on GLI? on one of my models, I’ve had it plugged in with auto-update set to on for a few days on an older version with no change?

On OpenWRT forum I read that it’s going to be fixed in LEDE 17.1.4.

https://forum.openwrt.org/viewtopic.php?id=72340

My GL-MT300A devices are on OpenWrt Chaos Calmer 15.05 r47065.

it would be great if this was fixed in the gl.inet firmware

Please check.