cancel
Showing results for 
Search instead for 
Did you mean: 

Security Advisory on Key Reinstallation Attacks(KRACK)

Moderator

Security Advisory on Key Reinstallation Attacks(KRACK)

Cambium Networks Security Advisory

CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,

CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,

CVE-2017-13084, CVE-2017-13086, CVE-2017-13087,

CVE-2017-13088

 

Date: 16 October 2017

Last Update: 20 November 2017

 

Summary

 

Research paper "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" was made publicly available on October 16th, 2017. It describes multiple vulnerabilities against WPA2 four-way handshake protocol.

 

Multiple Cambium Products are affected by these vulnerabilities.

 

An attacker can potentially decrypt and replay data packets. General security practices like using HTTPS for sensitive data will mitigate the impact of an attack on most end users.

 

The network key is not revealed by this attack, so the attacker does not gain the ability associate foreign devices to the network. The attacker will not gain the ability to connect unauthorized SMs to an ePMP network. Similarly, an attacker will not be able to associate unauthorized wireless clients to Wi-Fi networks

 

Short attack description:

 

  • Attacker can decrypt arbitrary packets.
  • Attacker can replay broadcast and multicast frames.
  • Attacker can both decrypt and inject arbitrary packets. (TKIP or GCMP ONLY)
  • Attacker can force the client into using a predictable all-zero encryption key. (ANDROID 6.0+ and LINUX)
  • Attacker can not recover WPA2 passphrase.
  • Attacker can not inject packets. (AES-CCMP ONLY)

 

Affected Products

 

ePMP all models

cnPilot all models running in Mesh/Repeater mode

 

Fixed in Software

cnPilot e-Series 3.4.3.5 - Released 3 November 2017

cnPilot R-Series 4.3.5 - Estimated Release 20 November 2017

ePMP 3.5.1-RC10 - Released 15 November 2017

 

Mitigations

cnPilot E series is only vulnerable in Mesh client mode or with 802.11r enabled

cnPilot R series is only vulnerable in Repeater mode

 

Temporary disabling those modes will mitigate the risk.

 

More information

 

"WPA2 KRACK Vulnerability" webinar

http://community.cambiumnetworks.com/t5/ePMP-2000-and-1000/WPA2-KRACK-Vulnerability-webinar/m-p/7986...

 

 

8 REPLIES
Contributor

Re: Security Advisory on Key Reinstallation Attacks(KRACK)

Thank you for the prompt response Cambium.

New Contributor

Re: Security Advisory on Key Reinstallation Attacks(KRACK)

is there any updates ? and when the update and fix is expected to be  released ? already other vendors  did release a patch ! 

 

Moderator

Re: Security Advisory on Key Reinstallation Attacks(KRACK)


Wisam Z wrote:

is there any updates ? and when the update and fix is expected to be  released ? already other vendors  did release a patch ! 

 


Firmware version 3.4.3.5 is currently under test, we plan to release it by Monday.

Highlighted
New Contributor

Re: Security Advisory on Key Reinstallation Attacks(KRACK)

i think you mistake , 

there is already 3.5 out , so the new update should be after 3.5 !!  not before !

Moderator

Re: Security Advisory on Key Reinstallation Attacks(KRACK)


Wisam Z wrote:

i think you mistake , 

there is already 3.5 out , so the new update should be after 3.5 !!  not before !


 I meant for the cnPilot Enteprise access points where the latest released firmware versions are:

3.4.3.2 for E400/E50x

3.4.3.4 for E410/E600 

 

3.4.3.5 will be released for all platforms and include the WPA2-Krack fixes.

Moderator

Re: Security Advisory on Key Reinstallation Attacks(KRACK)

To get more information please join "WPA2 KRACK Vulnerability" webinar that is scheduled on October 31.

https://register.gotowebinar.com/register/7276537552545157635

Contributor

Re: Security Advisory on Key Reinstallation Attacks(KRACK)

Will this update need to ba applied to all client radios as well as the AP? Or is applying it to the AP sufficent enough to fix the issue?

 

 

 

Moderator

Re: Security Advisory on Key Reinstallation Attacks(KRACK)


Tandr06 wrote:

Will this update need to ba applied to all client radios as well as the AP? Or is applying it to the AP sufficent enough to fix the issue?

 

 

 


Both Clients and APs should be patched, if they are vulnerable.

 

It is possible for an AP to prevent these attacks on a client by completely removing retries of the handshake messages but this sort of mitigation can cause connectivity problems for all clients, especially in busy or noisy environments.