Security Advisory on Key Reinstallation Attacks(KRACK)

Cambium Networks Security Advisory

CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,

CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,

CVE-2017-13084, CVE-2017-13086, CVE-2017-13087,

CVE-2017-13088

Date: 16 October 2017

Last Update: 20 November 2017

Summary

Research paper "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" was made publicly available on October 16th, 2017. It describes multiple vulnerabilities against WPA2 four-way handshake protocol.

Multiple Cambium Products are affected by these vulnerabilities.

An attacker can potentially decrypt and replay data packets. General security practices like using HTTPS for sensitive data will mitigate the impact of an attack on most end users.

The network key is not revealed by this attack, so the attacker does not gain the ability associate foreign devices to the network. The attacker will not gain the ability to connect unauthorized SMs to an ePMP network. Similarly, an attacker will not be able to associate unauthorized wireless clients to Wi-Fi networks

Short attack description:

  • Attacker can decrypt arbitrary packets.
  • Attacker can replay broadcast and multicast frames.
  • Attacker can both decrypt and inject arbitrary packets. (TKIP or GCMP ONLY)
  • Attacker can force the client into using a predictable all-zero encryption key. (ANDROID 6.0+ and LINUX)
  • Attacker can not recover WPA2 passphrase.
  • Attacker can not inject packets. (AES-CCMP ONLY)

Affected Products

ePMP all models

cnPilot all models running in Mesh/Repeater mode

Fixed in Software

cnPilot e-Series 3.4.3.5 - Released 3 November 2017

cnPilot R-Series 4.3.5 - Estimated Release 20 November 2017

ePMP 3.5.1-RC10 - Released 15 November 2017

Mitigations

cnPilot E series is only vulnerable in Mesh client mode or with 802.11r enabled

cnPilot R series is only vulnerable in Repeater mode

Temporary disabling those modes will mitigate the risk.

More information

"WPA2 KRACK Vulnerability" webinar

http://community.cambiumnetworks.com/t5/ePMP-2000-and-1000/WPA2-KRACK-Vulnerability-webinar/m-p/79867#M12167

Hi

Here is a list of affected platforms

http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

Cambium is not part of the list....

Agreed.

We are unsure of whether Cambium devices are currently affected, unaffected or unknown since they have not self reported to Homeland Security. Tech Support contact directing to this community link for all devices with WPA2.