Wireless Access

last person joined: 4 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

WPA2 Vulnerability Discussion

This thread has been viewed 2 times
  • 1.  WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 06:22 AM
      |   view attached

    Let's use this thread for discussion and Q&A on the industry-wide WPA2 vulnerability (http://www.arubanetworks.com/support-services/security-bulletins ) We'll have people monitoring throughout the week.

     

    I also want to call your attention to some new RFProtect features that were added to ArubaOS in order to help detect the attack.  This is new enough that the technical documentation hasn't been updated yet - but the attached PDF should help.

    Attachment(s)



  • 2.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 06:33 AM

    Hi Jon,

     

    Can i assume that there is no impact on coroporate networks who are using EAP-TLS? or are these connections vulnerable as well?



  • 3.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 06:37 AM

    Both WPA2-PSK and WPA2-Enterprise are affected by this, so even if using EAP-TLS it's still a problem.  Have a look at the FAQ.



  • 4.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 07:51 AM

    Hi jgreen,

     

    Thanks for opening this topic. In my case, I would need Aruba Instant 6.5.3.3 but that has already been available since october 10th on the support website, and I can't find anything about WPA2 vulnerability or bug id 168101 in the release notes. Any chance I'm missing something?

    image.png

    Kind regards

     

     



  • 5.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 07:57 AM

    When all of the fixed versions of software were posted, the vulnerabilities were not yet public.  So the release notes do not mention them.  Now that the vulnerabilities are public, the release notes will be revised.



  • 6.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 08:00 AM

    Question asked through email: "Is OKC affected in the same way as 802.11r?"  Answer: no.  The FT handshake defined in 802.11r is the source of CVE-2017-13082.  OKC doesn't use that.



  • 7.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 08:24 AM

    @jgreen wrote:

    Question asked through email: "Is OKC affected in the same way as 802.11r?"  Answer: no.  The FT handshake defined in 802.11r is the source of CVE-2017-13082.  OKC doesn't use that.


    That is good to know, thanks!



  • 8.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 10:36 AM

    What is OKC?  

     

    The FAQ link above mentions that if 802.11r Fast BS is not in use on the controllers your are not vulnerable with the exception of controllers using the "Mesh" feature of the Aruba OS. 

    I validated all our controllers with the "show wlan dot11r-profile" command and saw all our reference counts are zero.  So with the exception of our mesh controllers we should not be affected correct?

     



  • 9.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 08:00 AM

    Great, thanks for the quick response!



  • 10.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 09:04 AM

    @jgreen wrote:

    When all of the fixed versions of software were posted, the vulnerabilities were not yet public.  So the release notes do not mention them.  Now that the vulnerabilities are public, the release notes will be revised.


    Has the code for MST-200 MeshOS been released? The announcement indicates it has not yet been released.



  • 11.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 09:43 AM

    Are you also adding support for detection of KRACK-attack in RFProtect IPS/IDS?

     

    Kismet is adding support: https://twitter.com/KismetWireless/status/919911322451632128



  • 12.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 09:47 AM

    @Arjan_k: From the FAQ:

     

    Q: Can I detect if someone is attacking my network or devices?
    A: Aruba software checks for replay counter mismatches on a per-client basis and will produce a log message if detection is triggered. The log message begins with “Replay Counter Mismatches“, followed by additional details.
    Aruba has also released new RFProtect (WIDS) features and signatures to help detect attacks. These features are available in the following ArubaOS releases:
    • 6.4.4.16
    • 6.5.1.9
    • 6.5.3.3
    • 6.5.4.2
    • 8.2.0.0



  • 13.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 09:50 AM
    @John, from the PDF located here

    http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/74698/1/WPA2%20Vulnerability%20IDS%20feature.pdf

    Page 4, the command is logging level warnings security subcat ids

    The one mentioned in the document is incorrect. Typo simply.


  • 14.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 10:37 AM

    I can't seem to find 6.4.4.16 on the download site..

    Is anybody aware of when the patch releases will actually be made available for download?


    Screen Shot 2017-10-16 at 7.36.11 AM.png



  • 15.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 10:41 AM
      |   view attached

    The tree is too long to capture, but look here

    6.4.4.16.PNG

     



  • 16.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 10:42 AM

    Seeing the same. 6.4.4.16 is not availlable to download yet looks like?



  • 17.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 10:45 AM

    @islander91 wrote:

    Seeing the same. 6.4.4.16 is not availlable to download yet looks like?


    Sign in and look under "Conservative Releases". If you cannot sign in, look under "Lifetime Warranty Software" for the publicly released files.



  • 18.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:00 AM

    So to make a recap.

     

       If you are not using 802.11r and have Mesh disabled you are not vulnerable to the attack. Its that true?

     

    Regards



  • 19.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 12:24 PM

    @jmsende wrote:

    So to make a recap.

     

       If you are not using 802.11r and have Mesh disabled you are not vulnerable to the attack. Its that true?

     

    Regards


    I've seen this question asked a couple of times, and I am wondering the same thing, but there haven't been any answers. Is this hard to say for certain? The FAQ seems pretty clear, but it would be nice to have verification.


  • 20.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 12:28 PM

    @rluechtefeld wrote:

    @jmsende wrote:

    So to make a recap.

     

       If you are not using 802.11r and have Mesh disabled you are not vulnerable to the attack. Its that true?

     

    Regards


    Here is a quote from Aruba's IDS document.

     

    When 802.11r is enabled, the attacker does key reinstallation attack
    against FT (Fast BSS Transition) handshake via retransmitting
    reassociation requests

     

    That indicates to me that disabling 802.11r is only a partial workaround.

     



  • 21.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 12:39 PM

    @bosborne wrote:

    @rluechtefeld wrote:

    @jmsende wrote:

    So to make a recap.

     

       If you are not using 802.11r and have Mesh disabled you are not vulnerable to the attack. Its that true?

     

    Regards


    Here is a quote from Aruba's IDS document.

     

    When 802.11r is enabled, the attacker does key reinstallation attack
    against FT (Fast BSS Transition) handshake via retransmitting
    reassociation requests

     

    That indicates to me that disabling 802.11r is only a partial workaround.

     


    Thanks for the reply.  I am curious though, what in that statement make you believe that you are still vulnerable?

     

     



  • 22.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 12:44 PM

    I guess I should have quoted more from that page. 

     

    According to Jon's updated FAQ disabling 802.11r should mitigate the issue. It is turned off by default.

     

     

     



  • 23.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 12:57 PM

    @bosborne wrote:

    I guess I should have quoted more from that page. 

     

    According to Jon's updated FAQ disabling 802.11r should mitigate the issue. It is turned off by default.

     

     

     


    Turning off 802.11r will mitigate CVE-2017-13082, and only that CVE.  You'll need to assess, particularly for the client side, whether the other CVEs apply.  If the client is vulnerable to the 4-way handshake attack (CVE-2017-13077) then turning off 802.11r has no effect on that.



  • 24.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 01:22 PM


  • 25.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 01:26 PM

    @jgreen wrote:

    @bosborne wrote:

    I guess I should have quoted more from that page. 

     

    According to Jon's updated FAQ disabling 802.11r should mitigate the issue. It is turned off by default.

     

     

     


    Turning off 802.11r will mitigate CVE-2017-13082, and only that CVE.  You'll need to assess, particularly for the client side, whether the other CVEs apply.  If the client is vulnerable to the 4-way handshake attack (CVE-2017-13077) then turning off 802.11r has no effect on that.


    Jon, thanks for your reply too.  I'm only responsible for the Aruba controllers and APs.  The client endpoints, i.e. enterprise owned laptops and devices are being addressed by another group in my orgainization.  

     

    Regarding guest devices, i.e. phones, tablets, etc. not owned by the enterprise, does the Aruba controller upgrade help prevent issues with those devices that have not been patched?  My initial reading of this issue makes me believe it doesn't, but I'm far from an expert in this area.



  • 26.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 01:37 PM

    rluechtefeld wrote:

    Regarding guest devices, i.e. phones, tablets, etc. not owned by the enterprise, does the Aruba controller upgrade help prevent issues with those devices that have not been patched?  My initial reading of this issue makes me believe it doesn't, but I'm far from an expert in this area.


    It will not help those devices, although you do get the new WIDS signatures that can help detect the attack against them.  Most guest devices are generally on open networks though, where this attack has no effect.



  • 27.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 02:43 PM

    Where is the configuration to make sure 802.11r Fast BSS Transition is not enabled?



  • 28.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 02:45 PM

    @Chez379 wrote:

    Where is the configuration to make sure 802.11r Fast BSS Transition is not enabled?


    We did this to check for 802.11r.

     

    (ARUBA-MASTER-GH) #show wlan dot11r-profile

    802.11r Profile List
    --------------------
    Name References Profile Status
    ---- ---------- --------------
    default 0

    Total:1

    (ARUBA-MASTER-GH) #

     



  • 29.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 02:57 PM

    Is there a place in the GUI to check this, can't seem to putty into the controller.  This is in the AirWave interface, NOT the controller interface, correct?


    @bosborne wrote:

    @Chez379 wrote:

    Where is the configuration to make sure 802.11r Fast BSS Transition is not enabled?


    We did this to check for 802.11r.

     

    (ARUBA-MASTER-GH) #show wlan dot11r-profile

    802.11r Profile List
    --------------------
    Name References Profile Status
    ---- ---------- --------------
    default 0

    Total:1

    (ARUBA-MASTER-GH) #

     


     



  • 30.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 03:04 PM

    This was CLI (puTTY is OK) on the controller.

    From WebUI you can go to:

    Configuration -> ADVANCED SERVICES -> All Profiles -> Wireless LAN -> 802.11r.

    In Profile Details click on Show Reference.

    image.pngimage.png



  • 31.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 03:11 PM

    Thank You!!!

    @bosborne wrote:

    This was CLI (puTTY is OK) on the controller.

    From WebUI you can go to:

    Configuration -> ADVANCED SERVICES -> All Profiles -> Wireless LAN -> 802.11r.

    In Profile Details click on Show Reference.

    image.pngimage.png


     



  • 32.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 03:22 PM

    Had to check 90 controllers today.  I just created a script and ran "show wlan dot11r-profile".  Took about 10 minutes.

     



  • 33.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 03:24 PM

    @ascott wrote:

    Had to check 90 controllers today.  I just created a script and ran "show wlan dot11r-pperferably an HA pair).rofile".  Took about 10 minutes.

     


    90 standalone masters?

    Most sites that size push the configuration from a master controller (preferably an HA pair).



  • 34.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 03:32 PM

    Yep 90 stand alone master controllers.  Airwave manages our configurations no issues there.  But for the sanity check on this vulnerability I wanted to manually validate each device.  rather than accessing one at a time I exported all the management IPs from Airwave into a list and used that list as part of the script.  Script logged into each device in the list one at a time, ran the command and output everything to a log file.  I was able to see the zero references for each controller as it ran so I really didn't need the log file.  To me this was clean and easy way.

     

     



  • 35.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 12:28 PM

    @rluechtefeld wrote:

    @jmsende wrote:

    So to make a recap.

     

       If you are not using 802.11r and have Mesh disabled you are not vulnerable to the attack. Its that true?

     

    Regards


    I've seen this question asked a couple of times, and I am wondering the same thing, but there haven't been any answers. Is this hard to say for certain? The FAQ seems pretty clear, but it would be nice to have verification.

    There are two sides in Wi-Fi - the AP and the client.  Both sides may have vulnerabilities.  If you are not using 802.11r or mesh, then the Aruba AP side of the equation is safe and you can safely leave your Aruba software unpatched (well except for last week's advisories...)

     

    On the client side, the 4-way handshake may be vulnerable.  This depends on your client manufacturer.  If you leave that vulnerability unpatched, then you are NOT safe.

     

    If you have clients that are NOT vulnerable to the 4-way handshake, but ARE vulnerable to 802.11r, and you have disabled 802.11r on the AP side, then you should also be safe.



  • 36.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 12:31 PM

    "If you are not using 802.11r or mesh,"

     

    How do we tell that from Airwave managing IAPs?

     



  • 37.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 10:45 AM

    They put it under "conservative releases" for some reason.

     

     

    Screen Shot 2017-10-16 at 7.44.17 AM.png



  • 38.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:02 AM

    Hum.

    I have a 3200 controller.

    It's not clear to me which one of these images I should be trying to install on my controller.



  • 39.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:10 AM

    @Viss wrote:

    Hum.

    I have a 3200 controller.

    It's not clear to me which one of these images I should be trying to install on my controller.


    3200 or 3200XM?

    3200 cannot be upgraded past 6.1.x which was end of support May 2015.

    For 3200XM, depending on your current version, I pesonally would try either 6.3.1.25 or 6.4.4.16.



  • 40.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:13 AM

    I'm currently running 6.4.4.9, and I'm trying to upgrade to 6.4.4.16, however what appear to be the 'model numbers' in the firmware filenames say 6xx, 70xx, and 72xx. I'm not sure which to select, or if it will brick my controller if I use the wrong one.



  • 41.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:18 AM

    @Viss wrote:

    I'm currently running 6.4.4.9, and I'm trying to upgrade to 6.4.4.16, however what appear to be the 'model numbers' in the firmware filenames say 6xx, 70xx, and 72xx. I'm not sure which to select, or if it will brick my controller if I use the wrong one.


    For the 3000 controller, or the 6000/M3, take the MMC architecture.



  • 42.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:19 AM

    oh I got it.

    the descriptions are missing in the 6.4.4.16 release section.

    If you go to to the 6.3.1.25 section, the notes are there and it says the 'MMC' version of the firmware is for the 3200 series controllers.

     

    Looks like in the rush to get the fixed versions out they skipped all the remarks sections for all the 6.4.4.16 releases.

     

    sigh.



  • 43.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:26 AM

    @Viss wrote:

    oh I got it.

    the descriptions are missing in the 6.4.4.16 release section.

    If you go to to the 6.3.1.25 section, the notes are there and it says the 'MMC' version of the firmware is for the 3200 series controllers.

     

    Looks like in the rush to get the fixed versions out they skipped all the remarks sections for all the 6.4.4.16 releases.

     

    sigh.


     

    MMC is for 3200XM, 3400, 3600 controller.

    They all use the same CPU architecture.



  • 44.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:16 AM

    In the meantime between installing an appropriate firmware, are there other things that can/should be done to aleviate the risk?

     

    For example, how do we tell if an IAP cluster is running 802.11r or OKC? Also, how do we know if we're using “Wi-Fi uplink" and is that an issue?

     

    Are there actions that we can perform to reduce the risk before all access points are updated e.g. disable 802.11r and Wi-Fi Uplink ?

     

    Finally on the client side, what actions are needed as I saw a previous post said BOTH sides need to be addressed (Windows 7/10 clients).

     

     

    Any onfo will be appreciated.

    Cheers.

     



  • 45.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:29 AM
    OKC is enabled by default in a WPA2-PSK network but if you have an WPA2-Enterprise network in your IAP config, you will see a checkbox that will show you either checked or not.
    The same applies for 802.11r.

    For Wi-Fi Uplink, well are you using another wireless network to connect your IAP to for a WAN link? Under System -> Advanced -> Uplink -> Wi-Fi

    On the client side, you need to speak with the wireless chipset vendors.

    Aruba has taken care of the infrastructure side of things.


  • 46.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:11 AM

    Check "Conservative Releases" listing instead of Standard Releases.



  • 47.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:48 AM
      |   view attached

    @arjan_k wrote:

    Are you also adding support for detection of KRACK-attack in RFProtect IPS/IDS?

     

    Kismet is adding support: https://twitter.com/KismetWireless/status/919911322451632128


    See the attached PDF file.

    Attachment(s)



  • 48.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:55 AM

    I've seen a few people commenting about OKC.  OKC is not affected by the FT handshake vulnerability - you do not need to disable OKC.

     

    I've added this to the FAQ.



  • 49.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 11:47 AM

    @bosborne wrote:


    Has the code for MST-200 MeshOS been released? The announcement indicates it has not yet been released.


    MST code has not been released yet - I don't have any updates on that yet.



  • 50.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 09:58 AM

    I have multiple Aruba IAP-135's deployed and need to patch for this vulnerability.  The only firmware revision available is 6.4.4.8-4.2.4.9_61734.

     

    Is this revision a pre-requisite for 6.5.3.3?  

     

    Or will 6.5.3.3 not be available for the IAP-135 model?



  • 51.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 10:01 AM

    Is an unpatched client still vulnerable while connected to a Patched Access Point? Or do both ends need to be patched to resolve this issue?



  • 52.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 10:03 AM

    @msuiter wrote:

    Is an unpatched client still vulnerable while connected to a Patched Access Point? Or do both ends need to be patched to resolve this issue?


    Both ends need to be fixed.



  • 53.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 06:12 PM
    @msuiter wrote:

    Is an unpatched client still vulnerable while connected to a Patched Access Point? Or do both ends need to be patched to resolve this issue?

    Both ends need to be fixed.

     

    Are you certain about this?

     

    I found this online.

    https://exchange.xforce.ibmcloud.com/collection/396ecb6880625d6e58dd7636b7c8e8fd

    "According to the announcement linked below, if even only one of the devices (client or access point) has been patched, the pair are not vulnerable to this form of attack."

     

    I was unable to locate the original announcement that it references.



  • 54.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 06:24 PM

    @jbyun wrote:

     

    Are you certain about this?

     

    I found this online.

    https://exchange.xforce.ibmcloud.com/collection/396ecb6880625d6e58dd7636b7c8e8fd

    "According to the announcement linked below, if even only one of the devices (client or access point) has been patched, the pair are not vulnerable to this form of attack."

     

    I was unable to locate the original announcement that it references.


    The set of vulnerbilities can be divided into two groups.

     

    The 4-way handshake and group key vulnerability affects the CLIENT side.  Patching the AP side will do nothing to control this.

     

    The 802.11r FT handshake vulnerability affects the AP side.  Patching the AP side, or disabling 802.11r on the AP side, is sufficient to mitigate this vulnerability.  Patching the client side alone does not stop the attack.

     

    Conclusion:  Updates are needed on both sides.

     

    Aruba APs can sometimes act like clients (mesh mode, primarily).  That's why Aruba is affected by both groups of vulnerabilities.  However, if you disable 802.11r and are not using mesh, you can safely delay updating your Aruba software.



  • 55.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 10:02 AM

    @tgb wrote:

    I have multiple Aruba IAP-135's deployed and need to patch for this vulnerability.  The only firmware revision available is 6.4.4.8-4.2.4.9_61734.

     

    Is this revision a pre-requisite for 6.5.3.3?  

     

    Or will 6.5.3.3 not be available for the IAP-135 model?


    6.4.4.8-4.2.4.9 is the version to go to... this also includes the patch.



  • 56.  RE: WPA2 Vulnerability Discussion

    Posted Oct 16, 2017 10:05 AM

    Aruba Instant 4.2.x is the last available firmware version for the IAP-135:

    http://www.arubanetworks.com/support-services/end-of-life/#AccessPoints