WiNG 5.8.6.7 vs 5.8.6.8 ?

  • 0
  • 1
  • Question
  • Updated 3 months ago
  • Answered
I noticed that WiNG 5.8.6.8 was just posted and, according the the release notes, it also contains patches for CVE-2017-13078 and CVE-2017-13080 (WPA2 KRACK).  I was under the impression that 5.8.6.7 was "the" fix.

To clarify, is 5.8.6.8 the definitive patch for the KRACK vulnerabilities?
Photo of Andrew Webster

Andrew Webster

  • 1,566 Points 1k badge 2x thumb

Posted 3 months ago

  • 0
  • 1
Photo of Robert Zarzycki

Robert Zarzycki, Employee

  • 2,922 Points 2k badge 2x thumb

The 5.8.6.8 is to address some of WPA2 KRACK vulnerabilities – it carries supplicant patches for Client Bridge mode as well as support for sensor Krack signature for ADSP.  (ADSP release with that functionality should be released shortly).

Photo of Robert Zarzycki

Robert Zarzycki, Employee

  • 2,922 Points 2k badge 2x thumb
Photo of Andrew Webster

Andrew Webster

  • 1,566 Points 1k badge 2x thumb
The issue is that according to this document: https://extremeportal.force.com/ExtrArticleDetail?n=000018005
It indicates 5.8.6.7 would have been "the fix", thus gearing up to upgrade customer's network (which is using client bridge functionality) to 5.8.6.7 only to find out 5.8.6.8 was released to address KRACK in client bridge instances was somewhat frustrating. 

Please update the documentation to reflect this.
Photo of Alona

Alona, Employee

  • 900 Points 500 badge 2x thumb
If you don't have APs in CB mode - you don't need 5.8.6.8. 5.8.6.7 addressed the common place for KRACK vuulnerability.
Photo of Konstantinos

Konstantinos

  • 510 Points 500 badge 2x thumb
Hi,

Also in 5.8.6.8 release notes I read the quoted lines bellow. Does it mean that if I upgrade the RFS4010 to 5.8.6.8 will stop communication with AP621?


2. Platforms Supported 
This release applies to all platforms released with WiNG 5.8.6.0-011R.  
Reminder:  
Dependent AP platforms: AP 621, 622, 650 are EOL and engineering support has ended.  
Independent AP platforms: AP 6511, AP 6511E, AP 7131, AP 7181, AP 8222, ES 6510 are 
EOL and engineering support has ended. 
Controller platforms: RFS 4011, RFS 7000, NX 9000, NX 45XX and NX 65XX platforms are 
EOL and engineering has ended. 
Photo of Robert Zarzycki

Robert Zarzycki, Employee

  • 2,922 Points 2k badge 2x thumb
All it means that if you find any issues on any of the EndOfLife (EOL) equipment, Engineering will not debug/support it.
Photo of Konstantinos

Konstantinos

  • 510 Points 500 badge 2x thumb
So, if I install it the access ports AP621 will still be able to communicate with the controller?
Photo of Konstantinos

Konstantinos

  • 510 Points 500 badge 2x thumb
If I remember correctly the last img for AP621 was 5.8.4.
Photo of Andrew Webster

Andrew Webster

  • 1,556 Points 1k badge 2x thumb
The AP621 firmware is still part of the RFS4000 image, so if you install it, it will still adopt and operate the AP621, but you can't call support for any issues that might arise.

From the CLI, you can enter:  show device-upgrade versions to see which APs are supported out of the box. 
On the RFS4000 the included firmware is for the AP621, AP622, AP650, AP6521, AP6522, AP6532, AP6562.  Any other APs require additional firmware to be loaded into the RFS.
Photo of Konstantinos

Konstantinos

  • 510 Points 500 badge 2x thumb
Best answer ever.
Thank you.