A new research paper titled “Key Installation Attacks: Forcing Nonce Reuse in WPAv2” published on October 16, 2017, identifies a weakness in WPAv2 which can allow a sophisticated attacker to decrypt the contents of messages exchanged between the client and the access point.  Both WPAv2-PSK and WPAv2-Enterprise are affected. The vulnerability concerns the mechanisms for key exchange including key derivation, installation, and retransmission between APs and clients.  The vulnerability allows a skilled attacker, albeit requiring significant expertise and computing power, within proximity of the wireless link to replay packets from a client and eventually decryp the communication.

Extreme Networks is evaluating exposure of our ExtremeWireless™, ExtremeWireless™ WiNG, and the WLAN 9100 Series portfolios. Hotfixes for the affected products will be made available on supported streams as they become available, starting on October 20, 2017. This notice will be updated to reflect new information as it becomes available.

Additional details of the vulnerability can be found here: https://www.krackattacks.com/

ExtremeWireless™ (IdentiFi)

• As an Authenticator in the 4 Way-Handshake
• Both unicast and group keys (e.g. multicast and broadcast) are vulnerable.
• 802.11r (Fast Transition) – ExtremeWireless™ is vulnerable to this attack due to deficiencies in the protocol.  802.11r is disabled by default.

See below for release schedule of all software streams with resolutions to these issues.

• Mesh/WDS connections are vulnerable to these attacks (Release vector and schedule pending)

• AP3900 Series
• AP3800 Series
• AP3700 Series
• AP3600 Series (No support for 802.11r)
• AP2600 Series (No support for 802.11r)

• 10.31.07.0002 (AP3700, AP3800, AP3900) (Released October 20, 2017)
• 10.41.01.0082 – Hotfix (AP3700, AP3800, AP3900) (Released November 6, 2017)
• 9.21.19.0003 (AP3600, AP3700, AP3800) (Released November 2, 2017)
• 9.21.19.xxxx (AP2600) (Target: Pending)

ExtremeWireless™ WiNG

• WPAv2 4 Way-Handshake
  Not vulnerable with unicast traffic but vulnerable with group keys (e.g. broadcast and multicast traffic).
• 802.11r (Fast transition)
  ExtremeWireless™ WiNG is vulnerable to this attack due to deficiencies in the protocol.
• MeshConnex
  Vulnerable to the WPAv2 handshake MITM attack.
• Client Bridge Mode
  Vulnerable to the WPAv2 handshake MITM attack.

• AP 84xx
• AP 85xx
• AP 76xx
• AP 75xx
• AP 81xx
• AP 65xx / 650 / 622
• AP 71xx
• T-5 Series

• WiNG 5.8.6.7 (Released October 20, 2017) (Contains common fixes for KRACK)
• WiNG 5.8.6.8 (Released December 1, 2017) (Additional KRACK fixes for APs using Client-Bridge mode)
• WiNG 5.9.0.2 (Released October 24, 2017)
• WiNG 5.9.1.1 (Released November 7, 2017)
• WiNG 5.9.1.2 (Released November 22, 2017)

ExtremeWireless™ WiNG T5

• WiNG 5.4.2.1-011r (Released October 24, 2017)

ExtremeCloud™ APs
ExtremeCloud 4.11.01-26

• ExtremeWireless™ (Released November 24) - 10.41.02.0014
• ExtremeWireless™ WiNG (Released November 24) - 5.8.3.14-013R

WLAN 8100/9100 Series
All Avaya 9100 products are being assessed and this Vulnerability Notice will be updated as more information is available.

• WPAv2 4-Way Handshake
• Meshing

Extreme/Avaya are working to take necessary actions to address the vulnerability as soon as possible in access point software patches.

• AOS 8.3.5 (Target: October 31, 2017)   
• AOS 8.4.3 (Target: November 20, 2017)
• AOSL 8.2.4 (Target: Pending)
• AOSL 8.4.1 (Target: Pending)

In advance of a patch, we recommend the following for WLAN 9100 customers:

• Disable TKIP encryption
  This is the most important precaution to take. While TKIP usage is not common, the combination of this previously known vulnerability combined with this one could be particularly troublesome.
• Ensure your WiFi clients are patched and kept up to date.
• Turn off 802.11r feature if you are using it (it is disabled by default and not supported on 8100).
• Turn on 802.11w protected management frames. (This is not possible to be enabled through WOS and would need to be enabled in a configuration script).

A majority of the vulnerability releases are addressed to WiFi clients rather than access points, with the exception of the ones relating to 802.11r (Fast Transition Roaming). Two main functional scenarios are currently under assessment for potential exposure:

1. AP as authenticator
   a. AP operates as authenticator for all WPA2 operations between clients and AP on WPAv2 protected SSIDs (PSK or EAP) and in support of 802.11r (Fast Roaming).
2. AP as client
   a. APs can operate as clients to other APs in support of WDS/Mesh. When operating as a client the AP could be vulnerable to message replaying in assuming they’re part of a retransmission.

Regarding the CVSS Score(s)
The only CVE from the set of WPA2 vulnerabilities that is currently assigned a CVSS score is CVE-2017-13077 "Reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the WPA2 four-way handshake." The score is 6.8 (medium), and US-CERT has given guidance that the remaining CVSS scores will be assigned as usual by the NIST NVD team over time. US-CERT did state that it is unlikely that the CVSS scores for the remaining CVEs will be higher than that of CVE-2017-13077, but this is speculative at this point as the NVD team needs to complete their research. Extreme Networks will closely monitor the NVD for CVSS score updates, and provide proactive notification as necessary when they come through.

Hotfixes for the affected products will be made available on supported streams as they become available, starting on October 20, 2017. Here's more information on How to Download Firmware Files for Extreme Networks Products.

Extreme Networks is offering a free, one-time download for ExtremeWireless and ExtremeWireless WiNG customers that are without a paid maintenance contract. This one-time download provides access to an updated firmware release, but does not include additional warranty or support from Extreme Networks without a paid support contract. The firmware is available on currently supported access point and controller models only. This one-time download is available at the following link:
https://learn.extremenetworks.com/Wi-Fi-Vulnerability-Firmware-Download-oct2017_LP.html

A defense in depth posture with multiple levels of protection is the strongest mechanism to reduce security risks for most organizations. The following mitigation techniques can reduce the risk of these attacks:

1. Use Extreme ADSP or ExtremeWireless Radar to reduce the risk of man-in-the-middle attacks, a pre-cursor to this attack.
2. Disable 802.11r until a hotfix has been released
   a. 802.11r is disabled by default in ExtremeWireless(TM), ExtremeWireless(TM) WiNG and 9100 Series products.
3. Use application layer encryption, SSL, or VPN to provide an extra layer of protection for critical communications and/or data.
4. Patch client devices
   a. This is the weakest link and most difficult to address due to the large, uncontrolled number of client devices.

ADSP
A common form of the KRACK WPA/ WPA2 attack originates as a man-in-the-middle (MitM) attack. ADSP customers are advised to keep a close eye on the following alarms, as potential indicators of the attack:

• AP Impersonation detected
• ID Theft – Out of sequence
• ID Theft – Vendor IE missing
• Honeypot AP detected
• Multipot attack detected

If any of the above alarms are triggered, check for transmissions from the device on a non-operating channel. A symptom of the attack is overlapping/intermixed packet transmissions from two devices with identical MAC addresses and identical SSIDs; but operating on two different channels within a close time interval – with one device on an operating channel (the device under attack). Forensics can be used to look for this information. If the attack is in progress, Liveview can also be used.
 
As an enhancement, ADSP is evaluating addition of new signatures to more directly identify the attack as a KRACK WPA/WPA2 attack.