Header Only - DO NOT REMOVE - Extreme Networks

KRACK attack on WPA2


Userlevel 2
Hello everyone,
I have some questions due to the expected disclosure today on the attack possible on WPA2 SSIDs.

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.



Link: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-tra...

- Is Extreme aware of this?
- Are Fixes ready to be released?
- Is a software fix sufficient or does hardware need to be replaced?

Thanks and best regards,

Johannes

84 replies

Userlevel 7
Hi Johannes,

Extreme is fast but not that fast, from what I'd read in the web the guys that found the vulnerability will release more information how it works in 5 hours.

I'm very confident that Extreme will implement a fix.

Cheers,
Ron
Ron wrote:

Hi Johannes,

Extreme is fast but not that fast, from what I'd read in the web the guys that found the vulnerability will release more information how it works in 5 hours.

I'm very confident that Extreme will implement a fix.

Cheers,
Ron

Extreme was notified in August like the other vendors. https://www.kb.cert.org/vuls/id/228519/

https://www.kb.cert.org/vuls/id/CHEU-AQNN43
Userlevel 2
Ron wrote:

Hi Johannes,

Extreme is fast but not that fast, from what I'd read in the web the guys that found the vulnerability will release more information how it works in 5 hours.

I'm very confident that Extreme will implement a fix.

Cheers,
Ron

This is my concern as well. Many other major vendors had a fix that was already put into previous updates or was released yesterday. I would have expected the same from Extreme, but that doesn't seem to be the case.
Userlevel 2
Ron wrote:

Hi Johannes,

Extreme is fast but not that fast, from what I'd read in the web the guys that found the vulnerability will release more information how it works in 5 hours.

I'm very confident that Extreme will implement a fix.

Cheers,
Ron

I'm curious too. Could someone from Extreme shed some light on this?
Userlevel 7
Ron wrote:

Hi Johannes,

Extreme is fast but not that fast, from what I'd read in the web the guys that found the vulnerability will release more information how it works in 5 hours.

I'm very confident that Extreme will implement a fix.

Cheers,
Ron

Extreme Networks was notified by the CERT regarding the KRACK vulnerability, which was subsequently communicated to the Engineering team. The team is working on a solution to be completed by end of this week (10/20). We are reviewing procedures to confirm vulnerability response urgency meets expectations. Thanks for your patience.
Userlevel 1
Ron wrote:

Hi Johannes,

Extreme is fast but not that fast, from what I'd read in the web the guys that found the vulnerability will release more information how it works in 5 hours.

I'm very confident that Extreme will implement a fix.

Cheers,
Ron

I suppose, engineering team would be releasing patches not only to latest WING firmware (5.9.1) but also to previous series (i.e. 5.8.4) as we have some VX-based installations with multiple types of APs in place (622,650,75xx). Thanks for confirmation.
Userlevel 7
Ron wrote:

Hi Johannes,

Extreme is fast but not that fast, from what I'd read in the web the guys that found the vulnerability will release more information how it works in 5 hours.

I'm very confident that Extreme will implement a fix.

Cheers,
Ron

Please take a look into the Vulnerability Notice.....

https://extremeportal.force.com/ExtrArticleDetail?n=000018005
Userlevel 2
I was just asking because other vendors apparently have updates available / in beta. But I guess we'll see soon what all the fuss is about!
The corresponding paper:
"Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2"
https://papers.mathyvanhoef.com/ccs2017.pdf
Userlevel 2
A different article I read indicated that vendors were made aware of this a couple months ago. Hoping that maybe the fixes were put into a recent firmware release ?
Userlevel 2
There are updates from other vendors already:

https://www.reddit.com/r/KRaCK/comments/76pjf8/krack_megathread_check_back_often_for_updated/
I already have fixes for other vendor devices, but need them for the WiNG access points also, so same question.
Userlevel 7
I've asked the WiNG and IdentiFi teams for an update. I'll share with the thread when I have more information.
And for the WLAN 9100 series from Avaya please!
Userlevel 7
Knut Arne Nygård wrote:

And for the WLAN 9100 series from Avaya please!

The Avaya 9100 series is still supported by Avaya. Unfortunately, I won't have an answer on that, but still may be able to get more information.
Knut Arne Nygård wrote:

And for the WLAN 9100 series from Avaya please!

Thanx. The product house and development (...) has moved to Extreme, probably not many left...?
Userlevel 3
Really good summary here: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf
Would ADSP be able to be updated to detect this?
Userlevel 7
James A wrote:

Would ADSP be able to be updated to detect this?

I think so. From an email thread I saw earlier this morning, it sounds like someone is working to create a detection signature for this.
Userlevel 7
James A wrote:

Would ADSP be able to be updated to detect this?

Hi James, I added some ADSP information to the article earlier this morning. It's in the repair recommendations section.
Userlevel 7
I went ahead and published a preliminary Vulnerability Notice for KRACK. There's not much content right now, so we'll be updating it as more info comes in from various teams.

VN 2017-005 - KRACK, WPA2 Protocol Flaw
Userlevel 5
In the described attack, a rough ap on a different channel is used to reinstall an already-in-use key. Therefore AirDefense and Radar can help to recognize the attacker (rough ap) and prevent clients to contact such an rough ap. This wil not solve the root cause but can reduce the possible attack area.
Userlevel 6
Putting a small statment to stay up to date regarding this topic.
Userlevel 7
M.Nees wrote:

Putting a small statment to stay up to date regarding this topic.

For others who are interested, the "follow" button at the top-right side of the page has the same effect 😉
https://i.imgur.com/UE5bd27.gif

Reply