Recommended Patch Course for 7181

  • 0
  • 2
  • Question
  • Updated 9 months ago
  • Answered
What would the recommended course of action be with EOL devices and the recent Krack attack? I know the 7181 is EOL, but has a patch been released for the last firmware? I believe the latest firmware that was supported was 5.8.4.0-034.
Photo of Kendal Ingraham

Kendal Ingraham

  • 170 Points 100 badge 2x thumb

Posted 10 months ago

  • 0
  • 2
Photo of Christopher Frazee

Christopher Frazee, Employee

  • 1,782 Points 1k badge 2x thumb
Hello Kendal,
      WiNG v5.8.5.x was the last release for the EOL AP7181 and Extreme Networks is only patching v5.8.6, v5.9.0, and v5.9.1 builds in regards to the WPA2/KRACK vulnerability. I would ensure that 802.11r and broadcast key rotation for WPA2/CCMP WLANs are disabled (disabled by default on WiNG 5). Both settings are within the WLAN configuration (broadcast key rotation is under WLAN/Security and 802.11r/Fast BSS Transition is under WLAN/Advanced). 
Photo of Timo

Timo

  • 3,210 Points 3k badge 2x thumb
Christopher, can we see this as official information, that version old as 5.8.6. get no patch? At the begin the KRACK site says "5.7.x / 5.8.x / 5.9.x". Not it's 5.8.6 / 5.9.0 / 5.9.1
Photo of Christopher Frazee

Christopher Frazee, Employee

  • 1,782 Points 1k badge 2x thumb
Hello Timo,
      You can view the info at the following URL:

https://extremeportal.force.com/ExtrArticleDetail?n=000018005
Photo of Kendal Ingraham

Kendal Ingraham

  • 170 Points 100 badge 2x thumb
Bummer! I will look at the recommendations you have given.
Photo of Andrew Webster

Andrew Webster

  • 1,816 Points 1k badge 2x thumb
Go have a look at this thread: https://community.extremenetworks.com/extreme/topics/krack-attack-on-wpa2

If your APs are controlled by a current controller (pretty much anything except RFS7000), it contains AP code for the most recent version of firmware, so for instance AP71xx 5.8.6.7 is present on the Controller, and it can upgrade the devices.  A note a caution however, it would not be supported by GTAC if you needed assistance.

<rant>
As a general observation, there appears to be an underlying sentiment in this forum that Extreme Networks (to be clear, I'm talking about the decision makers and not the excellent technical and support staff) is attempting to profit from the WPA2 Krack vulnerability by pushing customers off the legacy gear by simply not supporting it.
The code change in the RFS7000 for instance would be identical to that in the RFS6000, since for years the sales argument is that all the platforms run the same code.  Similarly even going back to 5.7.x it would be the same code changes to fix the problem.   So technically speaking there's nothing stopping Extreme Networks from issuing patches for older code revisions, which would go a long way to making it feel like Extreme Networks takes their customers' networks to heart.
</rant>
Photo of Christopher Frazee

Christopher Frazee, Employee

  • 1,782 Points 1k badge 2x thumb
The RFS series controllers have limited amount of flash available and the following are the pre-oaded AP images when upgrading an RFS wireless controller (example from RFS4000 v5.8.6.7):

RFS4K-WAN#sh device-upgrade ver
--------------------------------------------------------------------------------
        CONTROLLER              DEVICE-TYPE                  VERSION
--------------------------------------------------------------------------------
  RFS4K-WAN                ap621                    5.8.6.7-002R
  RFS4K-WAN                ap622                    5.8.6.7-002R
  RFS4K-WAN                ap650                    5.8.6.7-002R
  RFS4K-WAN                ap6511                   none
  RFS4K-WAN                ap6521                   5.8.6.7-002R
  RFS4K-WAN                ap6522                   5.8.6.7-002R
  RFS4K-WAN                ap6532                   5.8.6.7-002R
  RFS4K-WAN                ap6562                   5.8.6.7-002R
  RFS4K-WAN                ap71xx                   none
  RFS4K-WAN                ap7502                   none
  RFS4K-WAN                ap7522                   none
  RFS4K-WAN                ap7532                   none
  RFS4K-WAN                ap7562                   none
  RFS4K-WAN                ap81xx                   none
  RFS4K-WAN                ap82xx                   none
  RFS4K-WAN                ap8432                   none
  RFS4K-WAN                ap8533                   none

All other AP images would need to be uploaded to the RFS controller and typically no more than 2 to 3 additional images can be uploaded to the controller. 

As for the RFS7000 comments, the RFS7000 has been EOS for a couple of years now, with plenty of time for customers to refresh. The code is the same across each platform, but the hardware is not. 

For the time being, with 802.11r disabled and broadcast key rotation is disabled (both disabled by default on all WiNG 5 platforms), you should be fine, but would start looking to refresh your RFS controllers with newer models.