My Lineage OS ROM is already patched, pretty cool.
FreeBSD Project: There is no official response at the time of writing.
Bottom of Mathy’s website says they notified FreeBSD early on and FreeBSD patched too soon I guess.
So when is a script kiddie like me going to see a tool leveraging this in Kali?
That wasn’t FreeBSD but OpenBSD
Take cover, BSD fanboys will hate you for not knowing the difference.
ah crap, I’m a dead man- and my PFSense router updates will be blocked from now on…
Compuerphile explanation, in order to add things other vids missed.
CentOS is fedora based… patch available for cent 6-7 yet? Checked this morning but didn’t see any updates.
I forget what the fedora patch was but it was like wpasuplicant I think
Yes, WPA supplicant is the file that you have to point to the wlan0’s driver I think. I’ll search around CentOS site tomorrow for more findings.
the wpa_supplicant update that fixes the issue was released 2 days ago for fedora 25-27 and the issue was reported on the 10/10/2017
hostapd on EPEL has also been reported to be affected but the report was only sent 3 hours ago from now XD.
What I don’t get is why was the author sitting on this since May when he presented the stuff at some con. Giving people some time to patch is ok, but 6months is a bit too much for this kind of info to be out in the wild.
Adapter sales, man.
Wait, he presented this in May? What?!
That is too long… 
They did not present it in May. They submitted their paper for peer reviews in May and was accepted and disclosed this month. The information was not out in the wild…In the meantime they informed the vendors about the issue. The paper is to be presented in November.
It’s still way too long.
I don’t think academic papers, journals and conferences are the right medium for security issues.
Also worrying is the amount of practical end user applicable advice is also worrying, for example 802.1x.
Compare this paper/website to the publications around Infineon ROCA where they practically give out pen testing code. (Their code is slow and didn’t take into account GPUs or FPGAs in their research, but the published stuff is way more usable)
That were all security research is globally presented. Journal and conferences like defcon and black hat. I am not sure what you expected.
Way to long for what? They found the vulnerability, they realized that its extend is huge, they informed CERT (and similar organizations) and gave the vendors a few months to plan to patch it. That is typical responsible disclosure process. Thats not sitting on the information. That is how you are supposed to do it.
Yep. When I said it was too long, I was under the impression that there was documentation on this flaw floating around in the public.
Since it was kept private, it’s okay. I would have liked to have known about it earlier, but responsible disclosure takes time.