Security Advisory on Key Reinstallation Attacks(KRACK)

Cambium Networks Security Advisory

CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,

CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,

CVE-2017-13084, CVE-2017-13086, CVE-2017-13087,

CVE-2017-13088

Date: 16 October 2017

Last Update: 20 November 2017

Summary

Research paper "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" was made publicly available on October 16th, 2017. It describes multiple vulnerabilities against WPA2 four-way handshake protocol.

Multiple Cambium Products are affected by these vulnerabilities.

An attacker can potentially decrypt and replay data packets. General security practices like using HTTPS for sensitive data will mitigate the impact of an attack on most end users.

The network key is not revealed by this attack, so the attacker does not gain the ability associate foreign devices to the network. The attacker will not gain the ability to connect unauthorized SMs to an ePMP network. Similarly, an attacker will not be able to associate unauthorized wireless clients to Wi-Fi networks

Short attack description:

  • Attacker can decrypt arbitrary packets.
  • Attacker can replay broadcast and multicast frames.
  • Attacker can both decrypt and inject arbitrary packets.¬†(TKIP or GCMP ONLY)
  • Attacker can force the client into using a predictable all-zero encryption key.¬†(ANDROID 6.0+ and LINUX)
  • Attacker¬†can not¬†recover WPA2 passphrase.
  • Attacker¬†can not¬†inject packets.¬†(AES-CCMP ONLY)

Affected Products

ePMP all models

cnPilot all models running in Mesh/Repeater mode

Fixed in Software

cnPilot e-Series 3.4.3.5 - Released 3 November 2017

cnPilot R-Series 4.3.5 - Estimated Release 20 November 2017

ePMP 3.5.1-RC10 - Released 15 November 2017

Mitigations

cnPilot E series is only vulnerable in Mesh client mode or with 802.11r enabled

cnPilot R series is only vulnerable in Repeater mode

Temporary disabling those modes will mitigate the risk.

More information

"WPA2 KRACK Vulnerability" webinar

http://community.cambiumnetworks.com/t5/ePMP-2000-and-1000/WPA2-KRACK-Vulnerability-webinar/m-p/79867#M12167

14 Likes

Thank you for the prompt response Cambium.

is there any updates ? and when the update and fix is expected to be  released ? already other vendors  did release a patch ! 


@Wisam Z wrote:

is there any updates ? and when the update and fix is expected to be  released ? already other vendors  did release a patch ! 


Firmware version 3.4.3.5 is currently under test, we plan to release it by Monday.

i think you mistake , 

there is already 3.5 out , so the new update should be after 3.5 !!  not before !


@Wisam Z wrote:

i think you mistake , 

there is already 3.5 out , so the new update should be after 3.5 !!  not before !


 I meant for the cnPilot Enteprise access points where the latest released firmware versions are:

3.4.3.2 for E400/E50x

3.4.3.4 for E410/E600 

3.4.3.5 will be released for all platforms and include the WPA2-Krack fixes.

1 Like

To get more information please join "WPA2 KRACK Vulnerability" webinar that is scheduled on October 31.

https://register.gotowebinar.com/register/7276537552545157635

Will this update need to ba applied to all client radios as well as the AP? Or is applying it to the AP sufficent enough to fix the issue?


@Tandr06 wrote:

Will this update need to ba applied to all client radios as well as the AP? Or is applying it to the AP sufficent enough to fix the issue?


Both Clients and APs should be patched, if they are vulnerable.

It is possible for an AP to prevent these attacks on a client by completely removing retries of the handshake messages but this sort of mitigation can cause connectivity problems for all clients, especially in busy or noisy environments.