VN 2017-005 - KRACK, WPA2 Protocol Flaw
- Article Type:
- Vulnerability Notice
- Article Number:
- Last Modified:
A new research paper titled “Key Installation Attacks: Forcing Nonce Reuse in WPAv2” published on October 16, 2017, identifies a weakness in WPAv2 which can allow a sophisticated attacker to decrypt the contents of messages exchanged between the client and the access point. Both WPAv2-PSK and WPAv2-Enterprise are affected. The vulnerability concerns the mechanisms for key exchange including key derivation, installation, and retransmission between APs and clients. The vulnerability allows a skilled attacker, albeit requiring significant expertise and computing power, within proximity of the wireless link to replay packets from a client and eventually decryp the communication.
Extreme Networks is evaluating exposure of our ExtremeWireless™, ExtremeWireless™ WiNG, and the WLAN 9100 Series portfolios. Hotfixes for the affected products will be made available on supported streams as they become available, starting on October 20, 2017. This notice will be updated to reflect new information as it becomes available.
Additional details of the vulnerability can be found here: https://www.krackattacks.com/
Products Potentially Affected
Fix Release Schedule
Fix Release Schedule
All Avaya 9100 products are being assessed and this Vulnerability Notice will be updated as more information is available.
A majority of the vulnerability releases are addressed to WiFi clients rather than access points, with the exception of the ones relating to 802.11r (Fast Transition Roaming). Two main functional scenarios are currently under assessment for potential exposure:
The only CVE from the set of WPA2 vulnerabilities that is currently assigned a CVSS score is CVE-2017-13077 "Reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the WPA2 four-way handshake." The score is 6.8 (medium), and US-CERT has given guidance that the remaining CVSS scores will be assigned as usual by the NIST NVD team over time. US-CERT did state that it is unlikely that the CVSS scores for the remaining CVEs will be higher than that of CVE-2017-13077, but this is speculative at this point as the NVD team needs to complete their research. Extreme Networks will closely monitor the NVD for CVSS score updates, and provide proactive notification as necessary when they come through.
Hotfixes for the affected products will be made available on supported streams as they become available, starting on October 20, 2017. Here's more information on How to Download Firmware Files for Extreme Networks Products.
Extreme Networks is offering a free, one-time download for ExtremeWireless and ExtremeWireless WiNG customers that are without a paid maintenance contract. This one-time download provides access to an updated firmware release, but does not include additional warranty or support from Extreme Networks without a paid support contract. The firmware is available on currently supported access point and controller models only. This one-time download is available at the following link:
A defense in depth posture with multiple levels of protection is the strongest mechanism to reduce security risks for most organizations. The following mitigation techniques can reduce the risk of these attacks:
A common form of the KRACK WPA/ WPA2 attack originates as a man-in-the-middle (MitM) attack. ADSP customers are advised to keep a close eye on the following alarms, as potential indicators of the attack:
As an enhancement, ADSP is evaluating addition of new signatures to more directly identify the attack as a KRACK WPA/WPA2 attack.
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.