Wireless Access

Reply
Moderator

Re: WPA2 Vulnerability Discussion


bosborne wrote:

Jon mentioned in his article that TKIP is broken worse than AES.

 

Do these patches fix both TKIP and AES or just AES?


Both, from the Aruba infrastructure perspective.  Remember the client may need to be patched too.

 

TKIP is still bad - we fixed the key handshake issue, not the underlying weakness in TKIP.

---
Jon Green, ACMX, CISSP
Security Guy
Contributor I

Re: WPA2 Vulnerability Discussion


bosborne wrote:

rluechtefeld wrote:

jmsende wrote:

So to make a recap.

 

   If you are not using 802.11r and have Mesh disabled you are not vulnerable to the attack. Its that true?

 

Regards


Here is a quote from Aruba's IDS document.

 

When 802.11r is enabled, the attacker does key reinstallation attack
against FT (Fast BSS Transition) handshake via retransmitting
reassociation requests

 

That indicates to me that disabling 802.11r is only a partial workaround.

 


Thanks for the reply.  I am curious though, what in that statement make you believe that you are still vulnerable?

 

 

Moderator

Updated FAQ attached

 
---
Jon Green, ACMX, CISSP
Security Guy
Frequent Contributor II

Re: WPA2 Vulnerability Discussion

I guess I should have quoted more from that page. 

 

According to Jon's updated FAQ disabling 802.11r should mitigate the issue. It is turned off by default.

 

 

 


Bruce Osborne - Wireless Engineer
ACCP, ACMP
Moderator

Re: WPA2 Vulnerability Discussion


bosborne wrote:

I guess I should have quoted more from that page. 

 

According to Jon's updated FAQ disabling 802.11r should mitigate the issue. It is turned off by default.

 

 

 


Turning off 802.11r will mitigate CVE-2017-13082, and only that CVE.  You'll need to assess, particularly for the client side, whether the other CVEs apply.  If the client is vulnerable to the 4-way handshake attack (CVE-2017-13077) then turning off 802.11r has no effect on that.

---
Jon Green, ACMX, CISSP
Security Guy
Moderator

List of vendor statements/patches

Provided by Andrew von Nagy:

 

http://www.revolutionwifi.net/revolutionwifi/2017/10/wpa2-krack-vulnerability-getting-information

---
Jon Green, ACMX, CISSP
Security Guy
Contributor I

Re: WPA2 Vulnerability Discussion


jgreen wrote:

bosborne wrote:

I guess I should have quoted more from that page. 

 

According to Jon's updated FAQ disabling 802.11r should mitigate the issue. It is turned off by default.

 

 

 


Turning off 802.11r will mitigate CVE-2017-13082, and only that CVE.  You'll need to assess, particularly for the client side, whether the other CVEs apply.  If the client is vulnerable to the 4-way handshake attack (CVE-2017-13077) then turning off 802.11r has no effect on that.


Jon, thanks for your reply too.  I'm only responsible for the Aruba controllers and APs.  The client endpoints, i.e. enterprise owned laptops and devices are being addressed by another group in my orgainization.  

 

Regarding guest devices, i.e. phones, tablets, etc. not owned by the enterprise, does the Aruba controller upgrade help prevent issues with those devices that have not been patched?  My initial reading of this issue makes me believe it doesn't, but I'm far from an expert in this area.

New Contributor

Re: WPA2 Vulnerability Discussion

Is there an update for the IAP-92 and IAP-93?

Moderator

Re: WPA2 Vulnerability Discussion


rluechtefeld wrote:

Regarding guest devices, i.e. phones, tablets, etc. not owned by the enterprise, does the Aruba controller upgrade help prevent issues with those devices that have not been patched?  My initial reading of this issue makes me believe it doesn't, but I'm far from an expert in this area.


It will not help those devices, although you do get the new WIDS signatures that can help detect the attack against them.  Most guest devices are generally on open networks though, where this attack has no effect.

---
Jon Green, ACMX, CISSP
Security Guy
Frequent Contributor II

Re: WPA2 Vulnerability Discussion

Can't they run the versions listed in the security advisory?

 All listed vulnerabilities have been fixed in the following InstantOS patch
 releases, which are available for download immediately:
  -- 4.2.4.9
  -- 4.3.1.6
  -- 6.5.3.3
  -- 6.5.4.2

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: