15

I have an updated RPI Zero W running Stretch.

The research is stating that wpa_supplicant is vulnerable on all Linux machines. According to Debian patches are rolled out:

For the oldstable distribution (jessie), these problems have been fixed
in version 2.3-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.

For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.

For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.

My RPI is running wpasupplicant version 2:2.4-1:

apt search wpasupplicant

wpasupplicant/stable,now 2:2.4-1 armhf [installed]
  client support for WPA and WPA2 (IEEE 802.11i)

Does that mean that Raspberry Pi's are already patched for this Crack attack?

flakeshake
  • 6,235
  • 1
  • 14
  • 33
Janghou
  • 1,446
  • 1
  • 16
  • 20

4 Answers4

15

Yes, your Pis are vulnerable until the patched versions of the Debian packages are available for Raspbian.

Edit: The patched versions are now available for Raspbian.

speakr
  • 259
  • 1
  • 4
  • 3
    The OP is running 2:2.4-1 (vulnerable) not 2:2.4-1.1 (fixed), so the answer to his question if the Pi's are already patched is NO. (Yes, it's confusing that the OP asks opposing questions in the title and the body, but this answer really needs to be very clear about this) – marcelm Oct 17 '17 at 12:45
4

No, (but yes it was) a fully updated Raspberry Pi (Zero) with Stretch is no longer vulnerable.

Updates were made available this early morning.

Just run:

sudo apt update && sudo apt upgrade

And you're safe.

apt search wpasupplicant

wpasupplicant/stable,now 2:2.4-1+deb9u1 armhf [installed]
  client support for WPA and WPA2 (IEEE 802.11i)
techraf
  • 4,319
  • 10
  • 31
  • 42
Janghou
  • 1,446
  • 1
  • 16
  • 20
2

Yes these issues almost certainly affect raspbian and the patches are not yet in the public raspbian repos.

Unfortunately some things are snarled up infrastructure wise which has prevented any updates to the public raspbian repo for the last couple of days. I am trying to unsnarl stuff and get the updates out now.

Update (20171002 01:38):

The fixes for raspbian Jessie and Stretch should now be in the public raspbian repo.

The fix for raspbian buster should follow in a few hours.

I do not know if/when there will be a fix for wheezy.

Peter Green
  • 6,476
  • 1
  • 19
  • 24
1

Mine is, just after I did an update, pi zero w, raspbian jessie:

wpasupplicant/oldstable,now 2.3-1+deb8u4 armhf [installed]

I think not yet patched.

User98764431
  • 569
  • 1
  • 19
  • 33
Adriano
  • 19
  • 2