KRACK attack on WPA2

  • 7
  • 13
  • Problem
  • Updated 3 months ago
  • Solved
  • (Edited)
Hello everyone,
I have some questions due to the expected disclosure today on the attack possible on WPA2 SSIDs.
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.


Link: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-tra...

- Is Extreme aware of this?
- Are Fixes ready to be released?
- Is a software fix sufficient or does hardware need to be replaced?

Thanks and best regards,

Johannes
Photo of Johannes Denninger

Johannes Denninger

  • 492 Points 250 badge 2x thumb

Posted 8 months ago

  • 7
  • 13
Photo of Gary Hartstone

Gary Hartstone

  • 316 Points 250 badge 2x thumb
Hi,
Can anyone from Extreme tell me if 5.8.6.7-002R is the final release for 5.8.x,  or if there will be another 5.8.x main release.
Or will the next main release that includes all KRACK fixes be under 5.9.x?

Thanks
Gary
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hi Gary

At this time, our engineer team will provide fixes on 5.8.6.x release. If there are some new problems or issues on 5.8.6.x, the fixes will be made on 5.8.6.x which means 5.8.6.7-002R may not be the final release for 5.8.x.

Notice,  KRACK includes 10 Vulnerabilities. It does not mean that ExtremeWireless Wing hits on all of those vulnerabilities.

Please check our release note which vulnerabilities could be fixed on WiNG.  

///  5.9.0.2-001R /// 
http://documentation.extremenetworks.com/release_notes/WiNG/9035120-01_WiNG_5_9_0_2_Release_Notes.pd...

/// 5.8.6.7-002R ///
http://documentation.extremenetworks.com/release_notes/WiNG/9035063-01_WiNG_v5_8_6_7_Release_Notes.p...

For other vulnerabilities which be included in KRACK, you need to update client patch.

Best regards,
Bin
Photo of Geovane Gonçalves

Geovane Gonçalves

  • 124 Points 100 badge 2x thumb
Hi Bin,

My plataform is RFS7000 + AP6522 with Wing 5.8.2.0-30R. What is the best firmware branch? 5.8.x.x or 5.9.x.xx ? What is the main branch difference?

Thanks

Geovane
(Edited)
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hello Geovane,

Unfortunately, RFS7000 is already end of engineering support. Please contact our local account team to migrate RFS7000 to another platform, such as NX7500 or VX9000.

Best regards,
Bin 
Photo of Kees

Kees

  • 94 Points 75 badge 2x thumb
Hi Bin,

in the release notes of 5.8.6.0 the AP650 is not mentioned as being EOL.
In the release notes of 5.8.6.7 there is a reminder that the AP650 is EOL but the release applies to all platforms released with WiNG 5.8.6.0-011R.

Can this version be used for AP650 deployments?

Thanks,
Kees
Photo of Karol Radosovsky

Karol Radosovsky

  • 160 Points 100 badge 2x thumb
In the initial statement (and I also explicitly asked about this) was said that also 5.8.4.x fix would be available, which would enable us to support the large install base of AP650 and 622 units. I see that this has been changed and there is no plan to do this. We consider this not quite fair, given the fact that these platforms were EOS only 2 years ago (PMB2543) and engineering support was lifted only half a year after EOS date! We have VX9000 based installations with older sites using AP650's and newer AP7522. Besides, AP650 were still supported in 5.8.6, which in Release Notes for 5.8.6.7 Extreme claims to support all the platforms supported in 5.8.6 and the 650 support was lifted only in 5.9.0. But 5.8.6.7 Release notes says it doesn't support 650. Please, provide a clear statement about this. Appreciate.
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hi Kees,
The AP650 is no longer supported.  Released in 2010, it was announced EOS in May 2015 with software supported extended into 2017, nearly a year longer than normal. Last supported firmware for AP650 is 5.8.6.

Kindly request that you could think about to migrate from AP650 to AP7522/AP8432/AP8533

Best regards,
Bin
Photo of Geovane Gonçalves

Geovane Gonçalves

  • 124 Points 100 badge 2x thumb
Hi Bin,

Thanks for reply.

We are a department of the Brazilian Government and we purchased our WLAN platform in 2014: 2 RFS7000 controllers + 150 AP6522 access points.

Our budget is quite restricted and we do not think it is fair to replace these controllers after only three and a half years of use.

In our point of view, the appropriate position of Extreme Networks'  toward customers inherited from Zebra and Motorola should be to publish the fixes comprehensively, including our version, 5.8.5.

We are not talking about a firmware evolutionary upgrade, but about the correction of a serious vulnerability recently discovered in the WPA2 protocol.

We are looking forward to expanding our Wlan in the near future. In fact, the Brazilian Government is still an emerging market and very promising for the Wlan segment.

We believe that Extreme Networks' final position in this case will be a very enlightening example of their customer policy.

Geovane
Photo of Pierre LAURENT

Pierre LAURENT

  • 110 Points 100 badge 2x thumb
AP650 is still supported by 5.9.0.2 and 5.9.1.0 , so the better way is to switch from 5.8 to 5.9 .

The problem only concern RFS7000 that last firmware is 5.8.5 and actually has no plan to get a 5.8.6.7.

maybe a solution is to drive AP650 with firmware 5.8.6.7 with RFS version 5.8.5 .
the AP650 is part of AP6532 firmware as they're are similar.
Photo of Kees

Kees

  • 94 Points 75 badge 2x thumb
Thanks for the tip, Pierre, but according to the release notes of the versions the AP650 is EOL and end of engineering.
Are you using any of these versions with the AP650?
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hello Geovane,

Very understand your request. Please contact our local sale team and let them know your and our customer's concern. Our sale team may help you push our engineer team to develop the new patch for RFS7000. 

At this moment, I did not have any information to say that we will provide extending support for RFS7000. Very sorry about that.


Best regards,
Bin
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hi Geovane, 

Forget to update one more thing to you. 

802.11r and broadcast key rotation for WPA2/CCMP WLANs are disabled (disabled by default on WiNG 5). Both settings are within the WLAN configuration (broadcast key rotation is under WLAN/Security and 802.11r/Fast BSS Transition is under WLAN/Advanced). 

It means 
  • disable broadcast key rotation to migrate WING-36013 
  • disable 802.11r to migrate WING-36014
  • disable MeshConnx to migrate WING-36016
WING-36013 WPA2 KRACK: Group key replay counter vulnerability (CVE-2017-13078, CVE-2017-13080)
WING-36014 WPA2 KRACK: 802.11r FT Handshake vulnerability (CVE-2017-13082) WING-36016 WPA2 KRACK: MCX PSK 4-way key updated to avoid WPA2 KRACK vulnerability.

Best regards,
Bin
Photo of Pierre LAURENT

Pierre LAURENT

  • 110 Points 100 badge 2x thumb
For Kees ,

never forget that AP650 is quite an AP0632 as it should works same way..

an image is better  tahn words or claiming :


 
Photo of Karol Radosovsky

Karol Radosovsky

  • 160 Points 100 badge 2x thumb
Hi Guys, independently of the above mentioned, I also decided to perform a full testing of the provided images with positive results for both 5.8.6.7-002R and 5.9.0.2-001R. Images for AP6532 also work for AP650, images for AP6522 work for AP622 as well as the AP6521 images work for AP621. Of course this is also the case with AP75xx platforms using only 1 image (7522,7532,7562). For AP platforms, if something goes wrong, there is always a possibility to directly upgrade the firmware via console/ssh with the available images (of course for individual AP's not on a larger scale)...So, in the end, good thing, the differences in written statements in both Release Notes and here on portal play for us and our customers :-) Have a nice weekend and good sleep everyone, The only looser here seems to be the RFS7000.. but in the end, this can be easily replaced by RFS6000 or VX9000 if the implementation scenario allows that (tunelled vs localy bridged wlans, etc.).
Photo of Pierre LAURENT

Pierre LAURENT

  • 110 Points 100 badge 2x thumb
Confirm what Karol says the only thing that drive as a dead end is using AP300 combined with AP75xx , the Firmware should be 5.5.x and no more .
Photo of Geovane Gonçalves

Geovane Gonçalves

  • 124 Points 100 badge 2x thumb
Hi Bin,

About your last tips:

  • disable broadcast key rotation to migrate WING-36013


In my config, key rotation options are disabled .  Do you believe it can be dangerous to enable "Fast roaming"?

  • disable 802.11r to migrate WING-36014


In my config Fast BSS Transition is disable.

  • disable MeshConnx to migrate WING-36016
We don't have mesh configured.

Does this mean that we are immune from WPA2  vulnerability exploit, even though we do not have the fix firmware installed?

Thanks,

Geovane
(Edited)
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hi Geovane,

For the question 1: 
Opportunistic key caching (OKC) is a non-standard but widely-implemented method for achieving fast roaming. It existed before the creation of 802.11r.

Therefore, fast roaming - OKC does not use the FT handshake and is not affected by the FT handshake vulnerability.


For the question 2: 
The configuration will mitigate, but not eliminate, the vulnerability. 

Of course, the recommending action that still leaves the network vulnerable is risky. 


Best regards,
Bin 
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
How to mitigate KRACK vulnerability when update of WiNG is not possible?
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-mitigate-KRACK-vulnerability-when-u...
Photo of Drew C.

Drew C., Community Manager

  • 37,366 Points 20k badge 2x thumb
The VN has been updated again. The only change this time was to add the following information:
Extreme Networks will be offering a free, one-time download for ExtremeWireless and ExtremeWireless WiNG customers that are without a paid maintenance contract. This one-time download will provide access to an updated firmware release, but will not include additional warranty or support from Extreme Networks without a paid support contract. The firmware will be available on currently supported access point/controller models only. This one-time download will be available soon, and the link will be provided on this page when it becomes available.
VN2017-005 - KRACK, WPA2 Protocol Flaw
(Edited)
Photo of Vedran Jurak

Vedran Jurak

  • 848 Points 500 badge 2x thumb
Was reading the release schedule in the VN and noticed the following:

WiNG 5.9.1.1 (Target: November 7, 2017)WiNG 5.9.1.2 (Target: November 29, 2017)
Why two different versions for the 5.9.1 branch?
Photo of Pierre LAURENT

Pierre LAURENT

  • 110 Points 100 badge 2x thumb
For Me 5.9.1.1 is a standard maintenance  version for 5.9.1.0 ( planned)
5.9.1.2 should be 5.9.1.1 + KRACK ( actually  in 5.9.0.2 )
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hi all,

Extreme Networks is offering a free and one-time download for KRACK issue on ExtremeWireless and Extreme Wireless WiNG customers.

Kindly reference for the following URL.

KRACK Vulnerability Download Site – Extreme Networks
https://learn.extremenetworks.com/Wi-Fi-Vulnerability-Firmware-Download-oct2017_LP.html

Best regards,
Bin
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hi All,

Extreme Networks has been released WiNG 5.8.6.8 - WiNG 5.8.6.8 Release Notes.

In this release, we add to address some of WPA2 KRACK vulnerabilities for "Client Bridge" mode as well as support for sensor KRACK signature (ADSP release with that functionality should be released shortly).

Best regards,
Bin
Hi All,

Bonjour,


As mentioned on this Link, https://extremeportal.force.com/ExtrArticleDetail?n=000018005

WiNG 5.9.1.2 will be targeted for November 29th. But still not yet released. I'm expecting a fix ASAP. 


Thanks in advance. :)
Hi,

Thanks for for your help, Please share me the download link if it is possible.
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hi,

The firmware could be downloaded from Extreme Portal
https://extremeportal.force.com/ExtrSupportHome

Here is one article to explain how to use Extreme Portal 
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-get-access-to-Extranet-for-for-firm...

Best regards,
Bin
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,192 Points 20k badge 2x thumb
Great video on the attack. https://youtu.be/pjTTG2nZax0
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Had joined this webinar. :) 
Really great summary from CWNP.
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hello all.

ExtremeNetworks just released ADSP 5.9.0. 

ADSP 9.5.0 adds the following new signatures for the KRACK attack:
  • MAC Spoof Activity Observed
  • Key Reinstallation Attack Detected
https://documentation.extremenetworks.com/release_notes/ADSP/9035225_ADSP-9-5-0-Release-Notes-v1_0.p...

Best regards,
Bin