ExtremeWireless (WiNG)

Expand all | Collapse all

KRACK attack on WPA2

Knut Arne Nygård

Knut Arne Nygård10-16-2017 12:13

Pierre LAURENT

Pierre LAURENT11-02-2017 09:45

  • 1.  KRACK attack on WPA2

    Posted 10-16-2017 04:47
    Hello everyone,
    I have some questions due to the expected disclosure today on the attack possible on WPA2 SSIDs.
    US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.


    Link: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-tra...

    - Is Extreme aware of this?
    - Are Fixes ready to be released?
    - Is a software fix sufficient or does hardware need to be replaced?

    Thanks and best regards,

    Johannes


  • 2.  RE: KRACK attack on WPA2

    Posted 10-16-2017 04:59
    Hi Johannes,

    Extreme is fast but not that fast, from what I'd read in the web the guys that found the vulnerability will release more information how it works in 5 hours.

    I'm very confident that Extreme will implement a fix.

    Cheers,
    Ron


  • 3.  RE: KRACK attack on WPA2

    Posted 10-16-2017 04:59
    Extreme was notified in August like the other vendors. https://www.kb.cert.org/vuls/id/228519/

    https://www.kb.cert.org/vuls/id/CHEU-AQNN43



  • 4.  RE: KRACK attack on WPA2

    Posted 10-16-2017 04:59
    This is my concern as well. Many other major vendors had a fix that was already put into previous updates or was released yesterday. I would have expected the same from Extreme, but that doesn't seem to be the case.


  • 5.  RE: KRACK attack on WPA2

    Posted 10-16-2017 04:59
    I'm curious too. Could someone from Extreme shed some light on this?


  • 6.  RE: KRACK attack on WPA2

    Posted 10-16-2017 04:59
    Extreme Networks was notified by the CERT regarding the KRACK vulnerability, which was subsequently communicated to the Engineering team. The team is working on a solution to be completed by end of this week (10/20). We are reviewing procedures to confirm vulnerability response urgency meets expectations. Thanks for your patience.


  • 7.  RE: KRACK attack on WPA2

    Posted 10-16-2017 04:59
    I suppose, engineering team would be releasing patches not only to latest WING firmware (5.9.1) but also to previous series (i.e. 5.8.4) as we have some VX-based installations with multiple types of APs in place (622,650,75xx). Thanks for confirmation.


  • 8.  RE: KRACK attack on WPA2

    Posted 10-16-2017 04:59
    Please take a look into the Vulnerability Notice.....

    https://extremeportal.force.com/ExtrArticleDetail?n=000018005


  • 9.  RE: KRACK attack on WPA2

    Posted 10-16-2017 07:10
    I was just asking because other vendors apparently have updates available / in beta. But I guess we'll see soon what all the fuss is about!


  • 10.  RE: KRACK attack on WPA2

    Posted 10-16-2017 09:42
    The corresponding paper:
    "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2"
    https://papers.mathyvanhoef.com/ccs2017.pdf



  • 11.  RE: KRACK attack on WPA2

    Posted 10-16-2017 09:58
    A different article I read indicated that vendors were made aware of this a couple months ago. Hoping that maybe the fixes were put into a recent firmware release ?


  • 12.  RE: KRACK attack on WPA2

    Posted 10-16-2017 10:02


  • 13.  RE: KRACK attack on WPA2

    Posted 10-16-2017 11:23
    I already have fixes for other vendor devices, but need them for the WiNG access points also, so same question.


  • 14.  RE: KRACK attack on WPA2

    Posted 10-16-2017 12:08
    I've asked the WiNG and IdentiFi teams for an update. I'll share with the thread when I have more information.


  • 15.  RE: KRACK attack on WPA2

    Posted 10-16-2017 12:13
    And for the WLAN 9100 series from Avaya please!


  • 16.  RE: KRACK attack on WPA2

    Posted 10-16-2017 12:13
    The Avaya 9100 series is still supported by Avaya. Unfortunately, I won't have an answer on that, but still may be able to get more information.


  • 17.  RE: KRACK attack on WPA2

    Posted 10-16-2017 12:13
    Thanx. The product house and development (...) has moved to Extreme, probably not many left...?


  • 18.  RE: KRACK attack on WPA2

    Posted 10-16-2017 13:09


  • 19.  RE: KRACK attack on WPA2

    Posted 10-16-2017 15:38
    Would ADSP be able to be updated to detect this?


  • 20.  RE: KRACK attack on WPA2

    Posted 10-16-2017 15:38
    I think so. From an email thread I saw earlier this morning, it sounds like someone is working to create a detection signature for this.


  • 21.  RE: KRACK attack on WPA2

    Posted 10-16-2017 15:38
    Hi James, I added some ADSP information to the article earlier this morning. It's in the repair recommendations section.


  • 22.  RE: KRACK attack on WPA2

    Posted 10-16-2017 15:44
    I went ahead and published a preliminary Vulnerability Notice for KRACK. There's not much content right now, so we'll be updating it as more info comes in from various teams.

    VN 2017-005 - KRACK, WPA2 Protocol Flaw


  • 23.  RE: KRACK attack on WPA2

    Posted 10-16-2017 17:15

    In the described attack, a rough ap on a different channel is used to reinstall an already-in-use key. Therefore AirDefense and Radar can help to recognize the attacker (rough ap) and prevent clients to contact such an rough ap. This wil not solve the root cause but can reduce the possible attack area.


  • 24.  RE: KRACK attack on WPA2

    Posted 10-16-2017 19:30
    Putting a small statment to stay up to date regarding this topic.


  • 25.  RE: KRACK attack on WPA2

    Posted 10-16-2017 19:30
    For others who are interested, the "follow" button at the top-right side of the page has the same effect ;)


  • 26.  RE: KRACK attack on WPA2

    Posted 10-16-2017 20:30


  • 27.  RE: KRACK attack on WPA2

    Posted 10-16-2017 21:08
    Hello everyone.The VN has been updated with more complete information. It will continue to be updated as needed. I'll also post here when updates are made. When I get back to the office tomorrow, I'll work on getting an email sent out to the subscribers of the notification service.

    VN2017-005 - KRACK, WPA2 Protocol Flaw


  • 28.  RE: KRACK attack on WPA2

    Posted 10-17-2017 12:26
    This reply was created from a merged topic originally titled New WPA2 vulnerability - any patches for Wing systems yet?. Hi all,

    I was just checking with the new WPA2 vulnerability hitting the news stream yesterday, is there any patches / fixes released yet from Extreme?

    We're using the older Wing v5.8 (Zebra) systems.


  • 29.  RE: KRACK attack on WPA2

    Posted 10-17-2017 12:26
    Hi Jacob,
    I merged your topic into this one. Ondrej responded there pointing you to this article with full details: VN2017-005 - KRACK, WPA2 Protocol Flaw
    Patches are expected to be released by the end of the week.


  • 30.  RE: KRACK attack on WPA2

    Posted 10-17-2017 14:17
    Can the use of Fast Roaming features (Pairwise Master Key (PMK) Caching
    Opportunistic Key Caching) on wifi network facilitate the KRACK attack?


  • 31.  RE: KRACK attack on WPA2

    Posted 10-17-2017 14:17
    802.11r handshake is susceptible to the KRACK attack as per the inforamtion in the paper here: https://papers.mathyvanhoef.com/ccs2017.pdf (paper link credit to Daniel Bernhardt)


  • 32.  RE: KRACK attack on WPA2

    Posted 10-17-2017 14:17
    In the Zebra / Wing 5.8x platform management console, Fast Roaming features (Security) are configured in separate sections of 802.11r - Fast BSS Transition (Advanced option of Wireless Network config)


  • 33.  RE: KRACK attack on WPA2

    Posted 10-18-2017 10:12
    Hi, as per VN 2017-005, 802.11r over the air is disabled in WiNG but 802.11r over the DS is enabled by default.

    Is 802.11r over the DS vulnerable?

    I'm thinking no since most of the communication is between the APs / RF Domain Manager / Site Controller.

    Thanks.


  • 34.  RE: KRACK attack on WPA2

    Posted 10-19-2017 11:30
    this attack affect products WM3600, AP4600, AP4500, WM100 and A350-2?


  • 35.  RE: KRACK attack on WPA2

    Posted 10-20-2017 13:26
    Is there a better timeline on the release of the patches? We are looking to patch our customers this weekend during a scheduled outage if possible.


  • 36.  RE: KRACK attack on WPA2

    Posted 10-20-2017 13:26
    Hi Kyle,
    Which platform are you looking for?

    IdentiFi v10.31.07.0002 was published just a few minutes ago and can be found here: https://extremeportal.force.com/ExtrProductDetail?id=01t34000003w10tAAA
    WiNG will be released soon.



  • 37.  RE: KRACK attack on WPA2

    Posted 10-20-2017 13:26
    VX9000 (WiNG) and various APs. I see those won't be out until Monday so we'll moved the outage.


  • 38.  RE: KRACK attack on WPA2

    Posted 10-21-2017 19:27
    Has anyone loaded the IdentiFi v10.31.07.0002 patch yet ? I am going to load it before the start of business on monday and was wondering if anyone had any feedback, no issues after the upgrade ?


  • 39.  RE: KRACK attack on WPA2

    Posted 10-21-2017 19:27
    Hello, JP

    v10.31.07.0002 has be released.

    Hotfix Development (in process)

    • 10.31.07.0002 (AP3700, AP3800, AP3900) Maintenance Release October 20, 2017
    https://extremeportal.force.com/ExtrArticleDetail?n=000018005

    Best regards,
    Bin


  • 40.  RE: KRACK attack on WPA2

    Posted 10-21-2017 19:27
    I upgraded on Sunday night, no complaints this morning.


  • 41.  RE: KRACK attack on WPA2

    Posted 10-21-2017 19:27
    Thanks. Upgraded here before the day began on monday as well.


  • 42.  RE: KRACK attack on WPA2

    Posted 10-23-2017 07:02
    Hello,

    i cannot search the WiNG 5.8.6.7 firmware in download portal. No result even the previous firmware. i also try the "Advanced" option and different web browser.

    Thanks!

    regards,
    Marlon



  • 43.  RE: KRACK attack on WPA2

    Posted 10-23-2017 07:02
    Hi,

    Use Products/ExtremeWireless instead and you can find 5.8.6.7 under ExtremeWireless™ WiNG Appliances or AP's

    //Paul



  • 44.  RE: KRACK attack on WPA2

    Posted 10-23-2017 07:02
    Great! thanks Paul.

    regards,
    Marlon


  • 45.  RE: KRACK attack on WPA2

    Posted 10-23-2017 20:22
    Is there going to be a v9 release with the fix to support the older APs?


  • 46.  RE: KRACK attack on WPA2

    Posted 10-23-2017 20:22
    Hi, Kerzi

    The following older AP will be fixed in V9. But, the release time is not fix yet.
    • 9.21.19.xxxx (AP3600, AP3700, AP3800) Release schedule pending
    • 9.21.19.xxxx (AP2600) Release schedule pending
    Best regards


  • 47.  RE: KRACK attack on WPA2

    Posted 10-24-2017 12:54
    All,

    As a note, the AP7532 image was not included in the RFS6000 5.8.6.7 image. If you want the controller to auto upgrade the APs, also grab the 7532 image and use the 'device-upgrade load-image ap7532 ftp://X.X.X.X command to get it integrated into your RFS.



  • 48.  RE: KRACK attack on WPA2

    Posted 10-25-2017 15:04
    Hello everyone, I added some release and schedule updates to the VN earlier today.
    VN 2017-005 - KRACK, WPA2 Protocol Flaw


  • 49.  RE: KRACK attack on WPA2

    Posted 10-25-2017 15:04
    10.41.01.81 – Up-issue (AP3700, AP3800, AP3900) (Target: October 27, 2017)
    What does "up-issue" mean ?


  • 50.  RE: KRACK attack on WPA2

    Posted 10-25-2017 15:04
    I'll find out... I wondered the same when I was asked to post it :)


  • 51.  RE: KRACK attack on WPA2

    Posted 10-25-2017 15:04
    Never seen that sentence before but I hope it's a synonym for ... it includes the fix for my open ticket 🙂


  • 52.  RE: KRACK attack on WPA2

    Posted 10-25-2017 15:04
    I changed it to hotfix since its essentially v10.41.01.80 (GA) + Hotfixes for KRACK. If we incremented the other numbers in the version, some might assume it includes new features.


  • 53.  RE: KRACK attack on WPA2

    Posted 10-25-2017 15:04
    Looks like I'll pass on that and wait for the version that incl the ACWS fix.

    Thanks,
    Ron


  • 54.  RE: KRACK attack on WPA2

    Posted 10-25-2017 15:04
    Please update the article VN 2017-005 - KRACK, WPA2 Protocol Flaw to include the fact that 5.8.6.8 corrects KRACK on Client Bridge installations. There is some confusion surrounding the fact that TWO versions were released for KRACK fix (5.8.6.7 and 5.8.6.8).



  • 55.  RE: KRACK attack on WPA2

    Posted 10-25-2017 15:04
    Hi Andrew - I've updated the article with information on both of these versions. Sorry for the confusion and thank you for pointing out the information gap.


  • 56.  RE: KRACK attack on WPA2

    Posted 10-26-2017 00:48
    Hi,
    Can anyone from Extreme tell me if 5.8.6.7-002R is the final release for 5.8.x, or if there will be another 5.8.x main release.
    Or will the next main release that includes all KRACK fixes be under 5.9.x?

    Thanks
    Gary


  • 57.  RE: KRACK attack on WPA2

    Posted 10-26-2017 00:48
    Hi Gary

    At this time, our engineer team will provide fixes on 5.8.6.x release. If there are some new problems or issues on 5.8.6.x, the fixes will be made on 5.8.6.x which means 5.8.6.7-002R may not be the final release for 5.8.x.

    Notice, KRACK includes 10 Vulnerabilities. It does not mean that ExtremeWireless Wing hits on all of those vulnerabilities.

    Please check our release note which vulnerabilities could be fixed on WiNG.

    /// 5.9.0.2-001R ///
    http://documentation.extremenetworks.com/release_notes/WiNG/9035120-01_WiNG_5_9_0_2_Release_Notes.pd...

    /// 5.8.6.7-002R ///
    http://documentation.extremenetworks.com/release_notes/WiNG/9035063-01_WiNG_v5_8_6_7_Release_Notes.p...

    For other vulnerabilities which be included in KRACK, you need to update client patch.

    Best regards,
    Bin


  • 58.  RE: KRACK attack on WPA2

    Posted 10-26-2017 00:48
    Hi Bin,

    My plataform is RFS7000 + AP6522 with Wing 5.8.2.0-30R. What is the best firmware branch? 5.8.x.x or 5.9.x.xx ? What is the main branch difference?

    Thanks

    Geovane


  • 59.  RE: KRACK attack on WPA2

    Posted 10-26-2017 00:48
    Hello Geovane,

    Unfortunately, RFS7000 is already end of engineering support. Please contact our local account team to migrate RFS7000 to another platform, such as NX7500 or VX9000.

    Best regards,
    Bin


  • 60.  RE: KRACK attack on WPA2

    Posted 10-26-2017 00:48
    Hi Bin,

    in the release notes of 5.8.6.0 the AP650 is not mentioned as being EOL.
    In the release notes of 5.8.6.7 there is a reminder that the AP650 is EOL but the release applies to all platforms released with WiNG 5.8.6.0-011R.

    Can this version be used for AP650 deployments?

    Thanks,
    Kees


  • 61.  RE: KRACK attack on WPA2