Extreme Networks

Johannes_Dennin · ‎10-16-2017

Hello everyone,
I have some questions due to the expected disclosure today on the attack possible on WPA2 SSIDs.

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

Link: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-tra...

- Is Extreme aware of this?
- Are Fixes ready to be released?
- Is a software fix sufficient or does hardware need to be replaced?

Thanks and best regards,

Johannes

Geovane_Gonçalv · ‎10-26-2017

Hi Bin,

My plataform is RFS7000 + AP6522 with Wing 5.8.2.0-30R. What is the best firmware branch? 5.8.x.x or 5.9.x.xx ? What is the main branch difference?

Thanks

Geovane

Bin · ‎10-26-2017

Hi Gary

At this time, our engineer team will provide fixes on 5.8.6.x release. If there are some new problems or issues on 5.8.6.x, the fixes will be made on 5.8.6.x which means 5.8.6.7-002R may not be the final release for 5.8.x.

Notice, KRACK includes 10 Vulnerabilities. It does not mean that ExtremeWireless Wing hits on all of those vulnerabilities.

Please check our release note which vulnerabilities could be fixed on WiNG.

/// 5.9.0.2-001R ///
http://documentation.extremenetworks.com/release_notes/WiNG/9035120-01_WiNG_5_9_0_2_Release_Notes.pd...

/// 5.8.6.7-002R ///
http://documentation.extremenetworks.com/release_notes/WiNG/9035063-01_WiNG_v5_8_6_7_Release_Notes.p...

For other vulnerabilities which be included in KRACK, you need to update client patch.

Best regards,
Bin

Bin · ‎10-26-2017

Hi Kees,
The AP650 is no longer supported. Released in 2010, it was announced EOS in May 2015 with software supported extended into 2017, nearly a year longer than normal. Last supported firmware for AP650 is 5.8.6.

Kindly request that you could think about to migrate from AP650 to AP7522/AP8432/AP8533

Best regards,
Bin

Karol_Radosovsk · ‎10-26-2017

In the initial statement (and I also explicitly asked about this) was said that also 5.8.4.x fix would be available, which would enable us to support the large install base of AP650 and 622 units. I see that this has been changed and there is no plan to do this. We consider this not quite fair, given the fact that these platforms were EOS only 2 years ago (PMB2543) and engineering support was lifted only half a year after EOS date! We have VX9000 based installations with older sites using AP650's and newer AP7522. Besides, AP650 were still supported in 5.8.6, which in Release Notes for 5.8.6.7 Extreme claims to support all the platforms supported in 5.8.6 and the 650 support was lifted only in 5.9.0. But 5.8.6.7 Release notes says it doesn't support 650. Please, provide a clear statement about this. Appreciate.

Kees · ‎10-26-2017

Hi Bin,

in the release notes of 5.8.6.0 the AP650 is not mentioned as being EOL.
In the release notes of 5.8.6.7 there is a reminder that the AP650 is EOL but the release applies to all platforms released with WiNG 5.8.6.0-011R.

Can this version be used for AP650 deployments?

Thanks,
Kees

Extreme Networks

KRACK attack on WPA2

KRACK attack on WPA2