Wireless Access

Let's use this thread for discussion and Q&A on the industry-wide WPA2 vulnerability (http://www.arubanetworks.com/support-services/security-bulletins ) We'll have people monitoring throughout the week.

 

I also want to call your attention to some new RFProtect features that were added to ArubaOS in order to help detect the attack.  This is new enough that the technical documentation hasn't been updated yet - but the attached PDF should help.

Hi Jon,

 

Can i assume that there is no impact on coroporate networks who are using EAP-TLS? or are these connections vulnerable as well?

Both WPA2-PSK and WPA2-Enterprise are affected by this, so even if using EAP-TLS it's still a problem.  Have a look at the FAQ.

Hi jgreen,

 

Thanks for opening this topic. In my case, I would need Aruba Instant 6.5.3.3 but that has already been available since october 10th on the support website, and I can't find anything about WPA2 vulnerability or bug id 168101 in the release notes. Any chance I'm missing something?

Kind regards

 

 

When all of the fixed versions of software were posted, the vulnerabilities were not yet public.  So the release notes do not mention them.  Now that the vulnerabilities are public, the release notes will be revised.

Question asked through email: "Is OKC affected in the same way as 802.11r?"  Answer: no.  The FT handshake defined in 802.11r is the source of CVE-2017-13082.  OKC doesn't use that.

---

@jgreen wrote:

Question asked through email: "Is OKC affected in the same way as 802.11r?"  Answer: no.  The FT handshake defined in 802.11r is the source of CVE-2017-13082.  OKC doesn't use that.

---

That is good to know, thanks!

What is OKC?  

 

The FAQ link above mentions that if 802.11r Fast BS is not in use on the controllers your are not vulnerable with the exception of controllers using the "Mesh" feature of the Aruba OS. 

I validated all our controllers with the "show wlan dot11r-profile" command and saw all our reference counts are zero.  So with the exception of our mesh controllers we should not be affected correct?

 

Great, thanks for the quick response!

---

@jgreen wrote:

When all of the fixed versions of software were posted, the vulnerabilities were not yet public.  So the release notes do not mention them.  Now that the vulnerabilities are public, the release notes will be revised.

---

Has the code for MST-200 MeshOS been released? The announcement indicates it has not yet been released.

Are you also adding support for detection of KRACK-attack in RFProtect IPS/IDS?

 

Kismet is adding support: https://twitter.com/KismetWireless/status/919911322451632128

@Arjan_k: From the FAQ:

 

Q: Can I detect if someone is attacking my network or devices?
A: Aruba software checks for replay counter mismatches on a per-client basis and will produce a log message if detection is triggered. The log message begins with “Replay Counter Mismatches“, followed by additional details.
Aruba has also released new RFProtect (WIDS) features and signatures to help detect attacks. These features are available in the following ArubaOS releases:
• 6.4.4.16
• 6.5.1.9
• 6.5.3.3
• 6.5.4.2
• 8.2.0.0

@John, from the PDF located here

http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/74698/1/WPA2%20Vulnerability%20IDS%20feature.pdf

Page 4, the command is logging level warnings security subcat ids

The one mentioned in the document is incorrect. Typo simply.

I can't seem to find 6.4.4.16 on the download site..

Is anybody aware of when the patch releases will actually be made available for download?

The tree is too long to capture, but look here

 

Seeing the same. 6.4.4.16 is not availlable to download yet looks like?

---

@islander91 wrote:

Seeing the same. 6.4.4.16 is not availlable to download yet looks like?

---

Sign in and look under "Conservative Releases". If you cannot sign in, look under "Lifetime Warranty Software" for the publicly released files.

So to make a recap.

 

   If you are not using 802.11r and have Mesh disabled you are not vulnerable to the attack. Its that true?

 

Regards

---

@jmsende wrote:

So to make a recap.

 

   If you are not using 802.11r and have Mesh disabled you are not vulnerable to the attack. Its that true?

 

Regards

---

I've seen this question asked a couple of times, and I am wondering the same thing, but there haven't been any answers. Is this hard to say for certain? The FAQ seems pretty clear, but it would be nice to have verification.

---

@rluechtefeld wrote:

---

@jmsende wrote:

So to make a recap.

 

   If you are not using 802.11r and have Mesh disabled you are not vulnerable to the attack. Its that true?

 

Regards

---

Here is a quote from Aruba's IDS document.

 

When 802.11r is enabled, the attacker does key reinstallation attack
against FT (Fast BSS Transition) handshake via retransmitting
reassociation requests

 

That indicates to me that disabling 802.11r is only a partial workaround.

 

---

@bosborne wrote:

---

@rluechtefeld wrote:

---

@jmsende wrote:

So to make a recap.

 

   If you are not using 802.11r and have Mesh disabled you are not vulnerable to the attack. Its that true?

 

Regards

---

Here is a quote from Aruba's IDS document.

 

When 802.11r is enabled, the attacker does key reinstallation attack
against FT (Fast BSS Transition) handshake via retransmitting
reassociation requests

 

That indicates to me that disabling 802.11r is only a partial workaround.

 

---

Thanks for the reply.  I am curious though, what in that statement make you believe that you are still vulnerable?

 

 

I guess I should have quoted more from that page. 

 

According to Jon's updated FAQ disabling 802.11r should mitigate the issue. It is turned off by default.

 

 

 

---

@bosborne wrote:

I guess I should have quoted more from that page. 

 

According to Jon's updated FAQ disabling 802.11r should mitigate the issue. It is turned off by default.

 

 

 

---

Turning off 802.11r will mitigate CVE-2017-13082, and only that CVE.  You'll need to assess, particularly for the client side, whether the other CVEs apply.  If the client is vulnerable to the 4-way handshake attack (CVE-2017-13077) then turning off 802.11r has no effect on that.

Provided by Andrew von Nagy:

 

http://www.revolutionwifi.net/revolutionwifi/2017/10/wpa2-krack-vulnerability-getting-information

---

@jgreen wrote:

---

@bosborne wrote:

I guess I should have quoted more from that page. 

 

According to Jon's updated FAQ disabling 802.11r should mitigate the issue. It is turned off by default.

 

 

 

---

Turning off 802.11r will mitigate CVE-2017-13082, and only that CVE.  You'll need to assess, particularly for the client side, whether the other CVEs apply.  If the client is vulnerable to the 4-way handshake attack (CVE-2017-13077) then turning off 802.11r has no effect on that.

---

Jon, thanks for your reply too.  I'm only responsible for the Aruba controllers and APs.  The client endpoints, i.e. enterprise owned laptops and devices are being addressed by another group in my orgainization.  

 

Regarding guest devices, i.e. phones, tablets, etc. not owned by the enterprise, does the Aruba controller upgrade help prevent issues with those devices that have not been patched?  My initial reading of this issue makes me believe it doesn't, but I'm far from an expert in this area.

---

rluechtefeld wrote:

Regarding guest devices, i.e. phones, tablets, etc. not owned by the enterprise, does the Aruba controller upgrade help prevent issues with those devices that have not been patched?  My initial reading of this issue makes me believe it doesn't, but I'm far from an expert in this area.

---

It will not help those devices, although you do get the new WIDS signatures that can help detect the attack against them.  Most guest devices are generally on open networks though, where this attack has no effect.

Where is the configuration to make sure 802.11r Fast BSS Transition is not enabled?

---

@Chez379 wrote:

Where is the configuration to make sure 802.11r Fast BSS Transition is not enabled?

---

We did this to check for 802.11r.

 

(ARUBA-MASTER-GH) #show wlan dot11r-profile

802.11r Profile List
--------------------
Name References Profile Status
---- ---------- --------------
default 0

Total:1

(ARUBA-MASTER-GH) #

 

Is there a place in the GUI to check this, can't seem to putty into the controller.  This is in the AirWave interface, NOT the controller interface, correct?

---

@bosborne wrote:

---

@Chez379 wrote:

Where is the configuration to make sure 802.11r Fast BSS Transition is not enabled?

---

We did this to check for 802.11r.

 

(ARUBA-MASTER-GH) #show wlan dot11r-profile

802.11r Profile List
--------------------
Name References Profile Status
---- ---------- --------------
default 0

Total:1

(ARUBA-MASTER-GH) #

 

---

 

This was CLI (puTTY is OK) on the controller.

From WebUI you can go to:

Configuration -> ADVANCED SERVICES -> All Profiles -> Wireless LAN -> 802.11r.

In Profile Details click on Show Reference.

---

Thank You!!!

@bosborne wrote:

This was CLI (puTTY is OK) on the controller.

From WebUI you can go to:

Configuration -> ADVANCED SERVICES -> All Profiles -> Wireless LAN -> 802.11r.

In Profile Details click on Show Reference.

---

 

Had to check 90 controllers today.  I just created a script and ran "show wlan dot11r-profile".  Took about 10 minutes.

 

---

@ascott wrote:

Had to check 90 controllers today.  I just created a script and ran "show wlan dot11r-pperferably an HA pair).rofile".  Took about 10 minutes.

 

---

90 standalone masters?

Most sites that size push the configuration from a master controller (preferably an HA pair).

Yep 90 stand alone master controllers.  Airwave manages our configurations no issues there.  But for the sanity check on this vulnerability I wanted to manually validate each device.  rather than accessing one at a time I exported all the management IPs from Airwave into a list and used that list as part of the script.  Script logged into each device in the list one at a time, ran the command and output everything to a log file.  I was able to see the zero references for each controller as it ran so I really didn't need the log file.  To me this was clean and easy way.

 

 

---

@rluechtefeld wrote:

---

@jmsende wrote:

So to make a recap.

 

   If you are not using 802.11r and have Mesh disabled you are not vulnerable to the attack. Its that true?

 

Regards

---

I've seen this question asked a couple of times, and I am wondering the same thing, but there haven't been any answers. Is this hard to say for certain? The FAQ seems pretty clear, but it would be nice to have verification.

---

There are two sides in Wi-Fi - the AP and the client.  Both sides may have vulnerabilities.  If you are not using 802.11r or mesh, then the Aruba AP side of the equation is safe and you can safely leave your Aruba software unpatched (well except for last week's advisories...)

 

On the client side, the 4-way handshake may be vulnerable.  This depends on your client manufacturer.  If you leave that vulnerability unpatched, then you are NOT safe.

 

If you have clients that are NOT vulnerable to the 4-way handshake, but ARE vulnerable to 802.11r, and you have disabled 802.11r on the AP side, then you should also be safe.

"If you are not using 802.11r or mesh,"

 

How do we tell that from Airwave managing IAPs?

 

They put it under "conservative releases" for some reason.

 

 

Hum.

I have a 3200 controller.

It's not clear to me which one of these images I should be trying to install on my controller.

---

@Viss wrote:

Hum.

I have a 3200 controller.

It's not clear to me which one of these images I should be trying to install on my controller.

---

3200 or 3200XM?

3200 cannot be upgraded past 6.1.x which was end of support May 2015.

For 3200XM, depending on your current version, I pesonally would try either 6.3.1.25 or 6.4.4.16.

I'm currently running 6.4.4.9, and I'm trying to upgrade to 6.4.4.16, however what appear to be the 'model numbers' in the firmware filenames say 6xx, 70xx, and 72xx. I'm not sure which to select, or if it will brick my controller if I use the wrong one.

---

@Viss wrote:

I'm currently running 6.4.4.9, and I'm trying to upgrade to 6.4.4.16, however what appear to be the 'model numbers' in the firmware filenames say 6xx, 70xx, and 72xx. I'm not sure which to select, or if it will brick my controller if I use the wrong one.

---

For the 3000 controller, or the 6000/M3, take the MMC architecture.

oh I got it.

the descriptions are missing in the 6.4.4.16 release section.

If you go to to the 6.3.1.25 section, the notes are there and it says the 'MMC' version of the firmware is for the 3200 series controllers.

 

Looks like in the rush to get the fixed versions out they skipped all the remarks sections for all the 6.4.4.16 releases.

 

sigh.

---

@Viss wrote:

oh I got it.

the descriptions are missing in the 6.4.4.16 release section.

If you go to to the 6.3.1.25 section, the notes are there and it says the 'MMC' version of the firmware is for the 3200 series controllers.

 

Looks like in the rush to get the fixed versions out they skipped all the remarks sections for all the 6.4.4.16 releases.

 

sigh.

---

 

MMC is for 3200XM, 3400, 3600 controller.

They all use the same CPU architecture.

In the meantime between installing an appropriate firmware, are there other things that can/should be done to aleviate the risk?

 

For example, how do we tell if an IAP cluster is running 802.11r or OKC? Also, how do we know if we're using “Wi-Fi uplink" and is that an issue?

 

Are there actions that we can perform to reduce the risk before all access points are updated e.g. disable 802.11r and Wi-Fi Uplink ?

 

Finally on the client side, what actions are needed as I saw a previous post said BOTH sides need to be addressed (Windows 7/10 clients).

 

 

Any onfo will be appreciated.

Cheers.

 

OKC is enabled by default in a WPA2-PSK network but if you have an WPA2-Enterprise network in your IAP config, you will see a checkbox that will show you either checked or not.
The same applies for 802.11r.

For Wi-Fi Uplink, well are you using another wireless network to connect your IAP to for a WAN link? Under System -> Advanced -> Uplink -> Wi-Fi

On the client side, you need to speak with the wireless chipset vendors.

Aruba has taken care of the infrastructure side of things.

Check "Conservative Releases" listing instead of Standard Releases.

---

@arjan_k wrote:

Are you also adding support for detection of KRACK-attack in RFProtect IPS/IDS?

 

Kismet is adding support: https://twitter.com/KismetWireless/status/919911322451632128

---

See the attached PDF file.

I've seen a few people commenting about OKC.  OKC is not affected by the FT handshake vulnerability - you do not need to disable OKC.

 

I've added this to the FAQ.

---

@bosborne wrote:

---

---

Has the code for MST-200 MeshOS been released? The announcement indicates it has not yet been released.

---

MST code has not been released yet - I don't have any updates on that yet.

I have multiple Aruba IAP-135's deployed and need to patch for this vulnerability.  The only firmware revision available is 6.4.4.8-4.2.4.9_61734.

 

Is this revision a pre-requisite for 6.5.3.3?  

 

Or will 6.5.3.3 not be available for the IAP-135 model?

Is an unpatched client still vulnerable while connected to a Patched Access Point? Or do both ends need to be patched to resolve this issue?

---

@msuiter wrote:

Is an unpatched client still vulnerable while connected to a Patched Access Point? Or do both ends need to be patched to resolve this issue?

---

Both ends need to be fixed.

@msuiter wrote:

Is an unpatched client still vulnerable while connected to a Patched Access Point? Or do both ends need to be patched to resolve this issue?

Both ends need to be fixed.

 

Are you certain about this?

 

I found this online.

https://exchange.xforce.ibmcloud.com/collection/396ecb6880625d6e58dd7636b7c8e8fd

"According to the announcement linked below, if even only one of the devices (client or access point) has been patched, the pair are not vulnerable to this form of attack."

 

I was unable to locate the original announcement that it references.

---

@jbyun wrote:

 

Are you certain about this?

 

I found this online.

https://exchange.xforce.ibmcloud.com/collection/396ecb6880625d6e58dd7636b7c8e8fd

"According to the announcement linked below, if even only one of the devices (client or access point) has been patched, the pair are not vulnerable to this form of attack."

 

I was unable to locate the original announcement that it references.

---

The set of vulnerbilities can be divided into two groups.

 

The 4-way handshake and group key vulnerability affects the CLIENT side.  Patching the AP side will do nothing to control this.

 

The 802.11r FT handshake vulnerability affects the AP side.  Patching the AP side, or disabling 802.11r on the AP side, is sufficient to mitigate this vulnerability.  Patching the client side alone does not stop the attack.

 

Conclusion:  Updates are needed on both sides.

 

Aruba APs can sometimes act like clients (mesh mode, primarily).  That's why Aruba is affected by both groups of vulnerabilities.  However, if you disable 802.11r and are not using mesh, you can safely delay updating your Aruba software.

---

@tgb wrote:

I have multiple Aruba IAP-135's deployed and need to patch for this vulnerability.  The only firmware revision available is 6.4.4.8-4.2.4.9_61734.

 

Is this revision a pre-requisite for 6.5.3.3?  

 

Or will 6.5.3.3 not be available for the IAP-135 model?

---

6.4.4.8-4.2.4.9 is the version to go to... this also includes the patch.

Aruba Instant 4.2.x is the last available firmware version for the IAP-135:

http://www.arubanetworks.com/support-services/end-of-life/#AccessPoints

Will there be a list of patched clients - ie clients/os that has a patch for this? It would be great to cover how Windows 7, 8, 8.1, 10 Apple MacOS Sierra, High Sierra, OSX, Linux Mint, Debian, Ubuntu, Android under Samsung, HTC, Sony. Iphone IOS 9,10,11 handle this. 

 

Geir

---

---

@Geir wrote:

Will there be a list of patched clients - ie clients/os that has a patch for this? It would be great to cover how Windows 7, 8, 8.1, 10 Apple MacOS Sierra, High Sierra, OSX, Linux Mint, Debian, Ubuntu, Android under Samsung, HTC, Sony. Iphone IOS 9,10,11 handle this. 

 

Geir

---

---

I will do my best to compile that list - right now unfortunately I don't have any information on it.  If people want to add client info to this thread as it comes in, that would be welcome!

Could the WIPS feature block this kind of attack? Like stop client to try connection in a fake ap?

---

@Geir wrote:

Will there be a list of patched clients - ie clients/os that has a patch for this? It would be great to cover how Windows 7, 8, 8.1, 10 Apple MacOS Sierra, High Sierra, OSX, Linux Mint, Debian, Ubuntu, Android under Samsung, HTC, Sony. Iphone IOS 9,10,11 handle this. 

 

Geir

---

---

Probably not.  Please contact those manufacturers, because we cannot speak for them..

We have some AP-125s they are running 6.4.2.x code. Can they run the 6.4.4.16 the patch for this vulnerability. Everything I read says it can run 6.4 code. It does not say 6.4.2.x, 6.4.3.x or 6.4.4.x.

---

@jcameron wrote:

We have some AP-125s they are running 6.4.2.x code. Can they run the 6.4.4.16 the patch for this vulnerability. Everything I read says it can run 6.4 code. It does not say 6.4.2.x, 6.4.3.x or 6.4.4.x.

---

We have been running 6.4.4.x code on AP-125 for quite a while. 6.4.4.16 also has a fix we have been testing for a while.

 

The software was available for customers last week.

Thanks.

Jon mentioned in his article that TKIP is broken worse than AES.

 

Do these patches fix both TKIP and AES or just AES?

---

@bosborne wrote:

Jon mentioned in his article that TKIP is broken worse than AES.

 

Do these patches fix both TKIP and AES or just AES?

---

Both, from the Aruba infrastructure perspective.  Remember the client may need to be patched too.

 

TKIP is still bad - we fixed the key handshake issue, not the underlying weakness in TKIP.

Is the HPE Networking site supposed to get the most up-to-date firmware downloads as well as the arubanetworks site?  On the HPE site it looks like the latest firmware showing was dropped in September.  

It is available on support.arubanetworks.com under "Conservative Release".

 

It is also publicly available at http://support.arubanetworks.com/LifetimeWarrantySoftware/tabid/121/DMXModule/661/EntryId/27269/Default.aspx

 

Use the support.arubanetworks.com site for the most up to date firmware

Is there an update for the IAP-92 and IAP-93?

Can't they run the versions listed in the security advisory?

 All listed vulnerabilities have been fixed in the following InstantOS patch
 releases, which are available for download immediately:
  -- 4.2.4.9
  -- 4.3.1.6
  -- 6.5.3.3
  -- 6.5.4.2

---

@bosborne wrote:

Can't they run the versions listed in the security advisory?

 All listed vulnerabilities have been fixed in the following InstantOS patch
 releases, which are available for download immediately:
  -- 4.2.4.9
  -- 4.3.1.6
  -- 6.5.3.3
  -- 6.5.4.2

---

Possibly not.  The end-of-support site says that the latest version for the IAP-92/93 is 4.1.1.  I'm trying to get clarification on what should be done for 4.1.  It's possible that 4.1 didn't have support for any vulnerable features.

We are running 6.4.2.6-4.1.3.4_57646

Bob,


[Boon Edam]
R.W. 'Bob' Brady | IT Manager | Boon Edam Inc.
T (910) 814 8115 | M (919) 623-9000 | F (910) 814-3899
402 McKinney Parkway | Lillington, NC 27546
Working Hours 0600-1500 EST
www.boonedam.us| Robert.Brady@boonedam.com [Your entry experts]

---

rby@boonedam.us wrote:
We are running 6.4.2.6-4.1.3.4_57646

Bob,


[Boon Edam]
R.W. 'Bob' Brady | IT Manager | Boon Edam Inc.
T (910) 814 8115 | M (919) 623-9000 | F (910) 814-3899
402 McKinney Parkway | Lillington, NC 27546
Working Hours 0600-1500 EST
www.boonedam.us| Robert.Brady@boonedam.com [Your entry experts]

---

Those are the only versions listed for InstantOS. Are the running as IAPs, RAPs, or Campus APs?

I am wondering the same thing about the IAP-93? Will a patch be avaialbe for these, or will I need to shut mine down? 

Do you use 802.11r?
Do you have mesh APs? (I don't think IAP-93s support mesh anyway)
Do you use Wi-Fi as a WAN uplink?

If NO to all these questions, then you are somewhat protected. The infrastructure side will be ok but your clients still need to be patched.

Again, the FAQ is your guide here.
http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/74761/1/FAQ%202017-10-16.pdf

page. 3 and 4 for instant.

If I am incorrect, someone will for sure correct me that I can assure you.

---

@sumnerbrianc wrote:

I am wondering the same thing about the IAP-93? Will a patch be avaialbe for these, or will I need to shut mine down? 

---

We missed the AP92/93 in our patches - the engineering team is working on that right now.  It should not take too long.

 

As far as the vulnerability goes, as long as your AP92/93 does not have 802.11r enabled, and you're not using mesh or Wi-Fi uplink (the AP-92 is a single-radio AP, so I don't think this is a common AP for those features) then I think you are safe keeping the network up.  In AP mode, 802.11r is the only vulnerability.  In client mode (mesh, Wi-Fi uplink), the 4-way handshake vulnerability is there.

Hey All,

 

I am running 3400's and a 3600 on AOS 6.4.2.18 and cannot upgrade the firmware any higher.  I am having a hard time determining if there is a patch I can chose?

 

rif

The 3x00 series of controllers support 6.4.4.16 which is a firmware that contains the fix.

The FAQ will help here.
http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/74761/1/FAQ%202017-10-16.pdf
page .3

Thank you Pasquale, but do AP134/5's support 6.4.4.16 ?

 

Thanks,

 

rif

Yes they do according to this below.
http://www.arubanetworks.com/support-services/end-of-life/#AccessPoints

---

---

We missed the AP92/93 in our patches - the engineering team is working on that right now.  It should not take too long.

 

---

Any update on these patches?  I can't seem to locate anything for the IAP-92/93 models.

NickA99 -  I called Aruba Networks yesterday and spoke to one of thier technicians. The IAP-93 is an Orion class Aruba AP. The tech used GTA to remote into my system and attempted to update my 93s, using the latest Orion class patch but the patch failed. 

He then said that Aruba will not be patching the IAP-93s and I was out of luck. I showed him that support on these 1 Nov 2019, but he insisted that it is not covered.

I don't understand how they refuse to support a product when it is not EOL until 2019, but that is another reason look at other solutions.

No, you got bad information on that.  The team has an updated version of 4.1 built now and is running it through testing.  I've been told a release date of no later than October 23.

 

To reiterate - if you are not using 802.11r or mesh on the AP-92, then you do not have a vulnerability that needs an immediate patch.  If you ARE using 802.11r, you can shut it off temporarily.

---

@jgreen wrote:

No, you got bad information on that.  The team has an updated version of 4.1 built now and is running it through testing.  I've been told a release date of no later than October 23.

---

Any update on this?  I still cannot locate the images for IAP-92/93.

They are, unfortunately, having some problems getting the AP not to run out of memory (which is the reason the AP92/93 was end-of-lifed and capped at 4.1 software in the first place) after integrating a fix for a different security vulnerability.  It's definitely not getting ignored as I'm seeing numerous emails in my inbox about it, but I don't know how much longer it's going to take...

Hi

I can dowload version ArubaInstant_Orion_6.4.4.8-4.2.4.8_60300 for IAP-93 dated jul 2017 before vulneralibity was found: Is a patch available and how can I download a patch if available for IAP-93-rw / IAP-92-rw??

thx

Elie

Under the Limited Warranty Software section, it will be present there.
4.1.3.5. under conservative release

Awesome, we will be watching for the release.
Thanks,


[Boon Edam]
R.W. 'Bob' Brady | IT Manager | Boon Edam Inc.
T (910) 814 8115 | M (919) 623-9000 | F (910) 814-3899
402 McKinney Parkway | Lillington, NC 27546
Working Hours 0600-1500 EST
www.boonedam.us| Robert.Brady@boonedam.com [Your entry experts]

---

We missed the AP92/93 in our patches - the engineering team is working on that right now.  It should not take too long.

 

---

Do you have an update on the planned firmware for the IAP 93?

https://threatpost.com/apple-patches-krack-vulnerability-in-ios-11-1/128707/

Apple has patched it with iOS 11.1

---

@prettyflyforawifi wrote:

---

We missed the AP92/93 in our patches - the engineering team is working on that right now.  It should not take too long.

 

---

Do you have an update on the planned firmware for the IAP 93?

---

Alright - huge apologies for this one.  Something that was not supposed to take very long apparently ran into some big engineering challenges because in addition to the WPA2 concerns, we had to deal with some updated radio regulatory-related changes that I won't claim to understand, and it was pushing the bounds on the IAP92/93 memory.  But as of today, 6.4.2.6-4.1.3.5, which includes support for the IAP92/93, is available on the support website for download.  It hasn't been copied to the Lifetime Warranty tab yet but I sent in that request.

Hi,

 

 I have a cluster with 4 IAP-93 and 4 IAP-205 with firmware 6.4.2.6-4.1.3.0. I couldn't see firmware 6.4.2.6-4.1.3.5 in Lifetime Warranty Web Page, but after your post the VC detected it automatically.

 

 I selected the upgrade, but only IAP-205 upgraded meanwhile IAP-93 rebooted with reason out of memory. As IAP-93 started faster than IAP-205 one of them took the master role what provoked that IAP-205 rebooted again and downgraded to 6.4.2.6-4.1.3.0.

 

 Now I have again all the cluster in version 6.4.2.6-4.1.3.0, I wanted to know if someone was able to upgrade IAP-93 successfully.

 

 

Thanks,

---

@rds wrote:

Hi,

 

 I have a cluster with 4 IAP-93 and 4 IAP-205 with firmware 6.4.2.6-4.1.3.0. I couldn't see firmware 6.4.2.6-4.1.3.5 in Lifetime Warranty Web Page, but after your post the VC detected it automatically.

 

 I selected the upgrade, but only IAP-205 upgraded meanwhile IAP-93 rebooted with reason out of memory. As IAP-93 started faster than IAP-205 one of them took the master role what provoked that IAP-205 rebooted again and downgraded to 6.4.2.6-4.1.3.0.

 

 Now I have again all the cluster in version 6.4.2.6-4.1.3.0, I wanted to know if someone was able to upgrade IAP-93 successfully.

 

 

Thanks,

---

The fixed version closest to yours is 6.4.4.8-4.2.4.9. 

 

I suspect your version is no longer supported due to the additional patches in the newer version.

---

@rds wrote:

Hi,

 

 Now I have again all the cluster in version 6.4.2.6-4.1.3.0, I wanted to know if someone was able to upgrade IAP-93 successfully.

 

 

Thanks,

---

The "out of memory" issue is the big problem with the IAP-92/93 and is why it took so long to get 4.1.3.5 released.  No matter what we do, it's going to be "on the edge".  Engineering's recommendation was to configure the 205 as the preferred master for the cluster and prevent the 92/93 from becoming the master.  They think that should allow it to run successfully.  That said... we know we're pushing up against the limits on that platform.

It looks to me that the new verion of IAP92/93 software hit the Limited Warranty tab today.

Before that, only contract users had access.

Thank you jgreen,

 

 It is a real problem because we are limiting IAP-205 to an older firmware to make them compatible with IAP-93, but we can't remove IAP-93 either, they are working fine so far and they are not so old.

 

 We'll wait a couple of days to see if someone else was able to upgrade them. Today it took more than 20 minutes with several reboots to finally remain in the starting firmware.

 

Regards,

Microsoft released their patch on October 10.

 

https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability

Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.

 

 

If I am not using 802.11r and there are no mesh APs, is there still a need to upgrade?

---

@harishdv wrote:

If I am not using 802.11r and there are no mesh APs, is there still a need to upgrade?

---

You could wait - just make sure you are paying attention to the client side of the problem.

 

Also make sure you consider the vulnerability advisories from last week...

Well if you have a controller based network, there are other vulnerabilities that affect you so yes you should upgrade.

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txt
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-006.txt

Well, there are workarounds for those as well.

It is not clear to me if the patched versions fixes the mesh vulnerability. Is this the case?

---

@charliepdean wrote:

It is not clear to me if the patched versions fixes the mesh vulnerability. Is this the case?

---

Patched versions fix all known vulnerabilities, including the mesh issues.

Was able to get version 6.5.4.2 installed on our 7030 and most APs came back up after a few minutes except for our 6 AP-215s.  They just keep power cycling.  I grabbed one and am looking at the logs, but I don't see anything that stands out.  Is anyone else having any issues with their APs?

---

@derek.m.ward wrote:

Was able to get version 6.5.4.2 installed on our 7030 and most APs came back up after a few minutes except for our 6 AP-215s.  They just keep power cycling.  I grabbed one and am looking at the logs, but I don't see anything that stands out.  Is anyone else having any issues with their APs?

---

This is not related to the WPA2 vulnerability thread, I suggest you post it in the Wireless Access forum and you will definitely get some help/traction there.

 

We want to keep this thread specifically related to the WPA2 vulnerability.

 

 

Hi,

 

---

@jgreen wrote:

 

I also want to call your attention to some new RFProtect features that were added to ArubaOS in order to help detect the attack.  This is new enough that the technical documentation hasn't been updated yet - but the attached PDF should help.

---

Will this be integrated in ArubaIOS too?

Even while there's lots of info to find about the WPA2 vuln. I'm still not sure if our AP's are safe or not.

 

We've a wifi network consisting of several IAP-105's. Their latest FW is 6.4.4.8-2.4.9_91734; From what I know:

* http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt doesn't list any 6.4.x version under "Affected Products/Aruba Instant".

* According the FAQ http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf : page 3, Q: How is Aruba Instant affected? it states ".. As an authenticator (standard WPA2 functionality where the AP exchanges encrypted information with a Wi-Fi client), InstantOS is not vulnerable to the key reinstallation attack in the 4-way .."

* We don't have 802.11r enabled

 

I've cheched and there doesn't seem to be any 6.5 release for the IAP-105.

So based on the previous info, I conclude that our AP's are not vulnerable to the KRACK attack. However, I'd really appreciate if someone else could check my reasoning and could confirm whether the IAP-105's are vulnerable or not.  I'd really like to be 100% sure instead of the current 99% ;)

 

Thanks!

KR,

Onno.

Aruba Instant IAP 105 runs Aruba Instant 4.2.x at latest.

The applicable version with fixes for KRACK for the IAP-105 will be: 6.4.4.8-4.2.4.9. And that is also the only firmware that both runs on IAP-105 and has the fixes.

 

There can be some confusion in the version numbering as the Instant release is 4.2.4.9 [which is referred in the bulletin], which is based on ArubaOS 6.4.4.8, thus makes up the whole version number: 6.4.4.8-4.2.4.9.

 

Starting ArubaOS 6.5.2, there is no different versioning scheme anymore for Aruba Instant and it will follow the same version as the ArubaOS where it was based on. That is why you see some 4.x and some 6.x releases in the bulletin.

 

Hope this clarifies some of your questions.

Hi Herman,

 

Thank you very much for the clarification and quick response. This explains a lot more ;o)

 

Thank you for filling out the missing 1%, I'm now 100% sure.

 

Thanks!

KR,

Onno.

Hi Guys

 

We have a controller on 6.5.0.3. What version is the best one for update against this ? 6.5.3.3

 

Regards

---

@beconnect wrote:

Hi Guys

 

We have a controller on 6.5.0.3. What version is the best one for update against this ? 6.5.3.3

 

Regards

---

Any of these should work.

-- 6.5.1.9
 -- 6.5.3.3
 -- 6.5.4.2

Hi all,

 

I have instant and controllers.

 

Controllers runs version 6.4.2.4 and others 6.4.2.14. would be upgrade to 6.4.4.16 ? 

 

and instant ap running  6.5.0.0-4.3.0.0. Is this version affected? what is the version 6.5 or 4.3

 

Best Regards

---

@MrFrankie wrote:

Hi all,

 

I have instant and controllers.

 

Controllers runs version 6.4.2.4 and others 6.4.2.14. would be upgrade to 6.4.4.16 ? 

 

and instant ap running  6.5.0.0-4.3.0.0. Is this version affected? what is the version 6.5 or 4.3

 

Best Regards

---

Yes, controllers should run 6.4.4.16. We just upgraded early this morning,

For instant, either 6.5.3.3 or 6.5.4.2 should be OK.

Hi all,

 

One question. 

 

Reading the FAQ i see this:

 

this mean that controllers that acts as an authenticator is vulnerable only if 802.11r is enabled. In my controllers 802.11r is disabled... so need the controller be upgrade?

---

@MrFrankie wrote:

Hi all,

 

One question. 

 

Reading the FAQ i see this:

 

this mean that controllers that acts as an authenticator is vulnerable only if 802.11r is enabled. In my controllers 802.11r is disabled... so need the controller be upgrade?

---

If you do not have 802.11r enabled, and you are not using mesh, then you could safely wait a while longer to upgrade the controller.  But do pay attention to last week's advisories and make sure you're protected from those.

Helpful thread:

https://mobile.slashdot.org/story/17/10/16/2136238/every-patch-for-krack-wi-fi-vulnerability-available-right-now

 

I have an Aruba IAP 115 connected to my switch in my home office, which is used to provide guest access to the Internet for my clients. 

 

It's currently on firmware 6.4.26-4.1.3.3.

 

Is there a patch available? 

 

I've reviewed the documentation I found at this link, but am unable to determine if this patch can be safely installed on my device- http://support.arubanetworks.com/LifetimeWarrantySoftware/tabid/121/DMXModule/661/EntryId/27270/Default.aspx

Yes, the 115 can be updated.  Go under the "Conservative Release" folder and then find 6.4.4.8-4.2.4.9.  You want the Pegasus image.

 

You could also load the Pegasus image from any of the other releases.  The 115 seems to still be supported even in 6.5.4.2.

Thanks for the quick reply!

 

Edit:  Happy to report I'm currently on 6.5.4.3.

As per this blog http://www.revolutionwifi.net/revolutionwifi

9 CVE's related to clients and only solution is to patch the client. But that may take some times for us.

Meantime can we use WIDS to detect if our client being attacked ?

 

---

@SumaN wrote:

As per this blog http://www.revolutionwifi.net/revolutionwifi

9 CVE's related to clients and only solution is to patch the client. But that may take some times for us.

Meantime can we use WIDS to detect if our client being attacked ?

 

---

Please see here:  www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf, under "Can I detect if someone is attacking my network or devices?"

---

@SumaN wrote:

 

Meantime can we use WIDS to detect if our client being attacked ?

---

Aruba has a document. On patched versions there are new WDS logs that can indicate if there is a potential issue.

My understanding is that you need to upgrade ArubaOS . InstantOS to get that capability. 

Do the wireless IDS features to detect these attacks

---

@bosborne wrote:

---

@SumaN wrote:

 

Meantime can we use WIDS to detect if our client being attacked ?

---

Aruba has a document. On patched versions there are new WDS logs that can indicate if there is a potential issue.

My understanding is that you need to upgrade ArubaOS . InstandOS to get that capability. 

---

---

@bosborne wrote:

---

@SumaN wrote:

 

Meantime can we use WIDS to detect if our client being attacked ?

---

Aruba has a document. On patched versions there are new WDS logs that can indicate if there is a potential issue.

My understanding is that you need to upgrade ArubaOS . InstandOS to get that capability. 

---

also hit the IAPs ?

 

 

Geir

Accorfing to Aruba's security bulletin, IAPs are affected. There is much discussion earlier in this thread.

Hi ,

We have the IAP 105 and IAP 205 ..for these does Instant OS 6.4.4.8-4.2.4.9 has the fixes .

I am confused what is 4.2.4.9(is it same as 6.4.4.8-4.2.4.9 or its different) you mentioned in the security advisory.

 

Regards,

Mallikarjun

---

@Mallikarjun Hiremath wrote:

Hi ,

We have the IAP 105 and IAP 205 ..for these does Instant OS 6.4.4.8-4.2.4.9 has the fixes .

I am confused what is 4.2.4.9(is it same as 6.4.4.8-4.2.4.9 or its different) you mentioned in the security advisory.

 

Regards,

Mallikarjun

---

They re the same. I think they stated it that way because there are some InstantOS versions that now follow the ArubaOS version numbering.

Is Aruba Clearpass affected and any patches available?

---

@kent2612 wrote:

Is Aruba Clearpass affected and any patches available?

---

No, not affected

I received an email from this thread asking about IAP92/93.

 

Jon Green from Aruba has verified the code is being developed now. Here is a quote.

 

---

@jgreen wrote:

The team has an updated version of 4.1 built now and is running it through testing.  I've been told a release date of no later than October 23.

Hello 

 

I have a few older controller running 6.3.1 code.  It says we need to go to 6.3.1.25 code, and I am having a hard time finding the firmware on the web page. Can someone point me to the proper place to download this version?

---

jellison@caleres.com wrote:

Hello 

 

I have a few older controller running 6.3.1 code.  It says we need to go to 6.3.1.25 code, and I am having a hard time finding the firmware on the web page. Can someone point me to the proper place to download this version?

---

Go to support.arubanetworks.com

Lifetime Warranty Software tab

WPA2 Security - Software Patches -> ArubaOS -> Conservative Release -> Release 6.3.1.25

Thanks but I am not seeing a download for an  ARUBA 3600 controller on there. 

---

jellison@caleres.com wrote:

Thanks but I am not seeing a download for an  ARUBA 3600 controller on there. 

---

I see this.

Hi all;

I wonder if i have to upgrade or need to fix my 7220 Controllers as well as affected this vuln.?

 

 

my 7720's currently runs 6.3.1.13 

 

Thanks

 

 

---

@emrah wrote:

Hi all;

I wonder if i have to upgrade or need to fix my 7220 Controllers as well as affected this vuln.?

 

 

my 7720's currently runs 6.3.1.13 

 

Thanks

 

 

---

Boy that is old!

You need to upgrade to at least 6.3.1.25

Mr. Osborne,

 

I have a very new Aruba system.  My AP's have the following firmware installed:

ArubaInstant_Centaurus_6.4.4.8-4.2.4.6_58505

ArubaInstant_Taurus_6.4.4.8-4.2.4.6_58505

 

Am I vulnerable?

 

Thanks!