I spoke to Meraki Support this morning and they stated the following:

 

The issue is mitigated in 24.11, which is released and stable at this time. They also recommended disabling 802.11r on all SSIDs as part of the fix.

Reply @ModulusJoe:

 

Ah, handy. That hasn't fed back to me yet. Good to hear that it was fixed. Wonder what their official press release will say...

Sure??

Wireless firmware versions MR 24.11 changelog
Bug fixes
Low level stability issue caused AP to reboot (MR58)
Low level stability issue caused AP to reboot (MR66/MR16/MR18)
Low level stability issue caused AP to fail over to mesh erroneously (MR66/MR16/MR18)
Tuned L3 roaming broadcast discovery frames to reduce network overhead (All MRs)
Traffic routing improvements to reduce overhead on Ap resources when 1000+ clients are connected to the network
Low power mode incorrectly displaying (MR18/MR32/MR24/MR72/MR16)
Low level stability issue during SSID provisioning caused AP to reboot (MR16/MR18/MR66)
Live tool widget formatting resulted in false negative results with the RADIUS test widget on the Dashboard (All MRs)
Known issues
Condition under investigation causes lower than expected throughput on the 2.4GHz radio (MR26/MR34)
Condition under investigation causes 2.4GHz radios to become unresponsive (MR32/MR72)
Condition under investigation causes radios to become unresponsive for 5 seconds in high density networks (MR34/MR32/MR72/MR26)
Condition under investigation causes MR34/MR32/MR72/MR26 to become unstable and reboot
Condition under investigation causes client to end fast roam midway through EAPOL which causes the client connection to hang
Condition under investigation causes Outdoor APs in the IC Regulatory Domain to not broadcast channels on frequencies higher than 5.35 GHz (Channel 64)
Mesh peering issue and recovery issue causes mesh instability (MR42/MR52/MR53/MR84)
Wireless packet capture missing a number of 802.11 frames (MR42/MR52/MR53/MR84)
Other
Enhancements to 802.11r implementation

The MX64W has not been updated and is still vulnerable.
The last stable firmware for it, MX12.24, was released Dec 22, 2016.

---

@Squuiid wrote:

The MX64W has not been updated and is still vulnerable.
The last stable firmware for it, MX12.24, was released Dec 22, 2016.

---

MXs with built-in WiFi are not vulnerable, as they do not support 802.11r

@GreenMan that is a false sense of security saying it is not vulnerable because it does not support 802.11r.  The issue affects more than just 802.11r.  The issue is more fundamental.  An worse still - it is the clients that are most vulnerable.  It is more important to get every client patched.

My understanding was that it affected networks other than 802.11r.  But what do I know I'm not on the Meraki Engineering staff.

@Warren it absolutely affects more than just 80211r.  It fundamentally affects WPA[1|2].

My Z1 was updated today to MX 14.17:

 

It certainly does, Warren but it's worth knowing that, of the 10 specific vulnerabilities, nine relate to Wi-Fi clients and one (CVE-2017-13082) to Access Points. This gets more complex though, as many APs also support 802.11 client-type features; e.g. workgroup bridging. This is not the case with Meraki Wi-Fi devices. To further complicate things, the AP vulnerability is specifically tied to 802.11r. Some Meraki Wi-Fi devices ((MX6xW and Z1/3) don't support 11r, hence no 2017-13082 fix for those models. @PhilipDAth is absolutely right, in the broader sense - all clients and all APs need checking.

@GreenMan It is refreshing to get such excellent responses from a vendor forum.
Thank you and well done Meraki!

Hello,
Just curious about detection of that atacak. Is it possible to configure Air Marshal, so that we can detect issue with affected clients?

Thank you,

Hi MM,

Unfortunately it's not possible for WiFi infrastructure to detect WiFi clients which are vulnerable to the KRACK issues that relate to them  (see the last but one entry in our FAQs doc, covering this:     https://documentation.meraki.com/zGeneral_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-...

Thanks for "super fast" response.

No problem...   

---

@PhilipDAth wrote:

@GreenMan that is a false sense of security saying it is not vulnerable because it does not support 802.11r.  The issue affects more than just 802.11r.  The issue is more fundamental.  An worse still - it is the clients that are most vulnerable.  It is more important to get every client patched.

---

Hi Philip - while it is very true to say that clients are the most vulnerable, the original point made was about MX appliances with built-in Wi-Fi.    As neither MX6xWs, nor Z1/Z3, have client-type capability (e.g. WorkGroup bridge), then only the KRACK flaw affecting Access Points is pertinent to MX & Zs.  As that specific flaw is bound up with 802.11r - and neither MXs nor Zs support 11r   (11r being a roaming technology - whereas MX6xW provide 'standalone' Wi-Fi), there was nothing to fix.   Thanks for re-iterating a key takeway though;  get your clients patched ASAP!

Z1 is also not listed. I have one running MX 14.15 and not sign of a new vesion. Scheduler lists 13.24 as latest beta and 12.26 as stable candidate ... go figure why the version is lower than what I'm running.

That's how it is the with the firmware updater.  If you want options other than what is shown you have to call support.  Just be glad that the firmware version is no longer a "trade secret" and kept under lock and key by Meraki.

Release notes 24.11 not advice that issue was fixed.

As I have mentioned, I get the distinct feeling that this may be because a patch to this issue was silently rolled into OpenBSD far earlier than other developers were allowed to. If Meraki OS is BSD based, it could have got the patch then. (Source: https://www.krackattacks.com)

 

 

 

 

Comments from other community memebers that version 24.11 does include a fix. 

 

Can Meraki provide official statement here to confirm that fix is included in 24.11 ??

@ruben_z8 No they don't explicitly call it out but if it was a silent deploy, like OpenBSD, that is to be expected. Also the last line item "Enhancements to 802.11r implementation" is pretty vague 🙂

@ModulusJoe even just the system stability improvements could have meant pulling in patches from upstream

https://www.krackattacks.com

@ModulusJoe Was Support suggesting that moving to 24.11 wasn't enough and that disabling 802.11r is ALSO required? 

They did, but reading the official post it sounds like that needed to be disabled before and can be re-enabled post install of the fix version.

I've just received this response from Meraki Technical support:

 

Our engineering team have informed me that the fix for this is in firmware MR25-7 and above. You may schedule the firmware upgrade from within the "Network-Wide -> Configure -> General -> Firmware Upgrades" section of Dashboard.

Got this message from support:
 
---------- Forwarded message ----------
From: support@meraki.com <support@meraki.com>
Date: Thu, Oct 19, 2017 at 9:39 PM
Subject: Cisco Meraki Case 02119545: Z1 update for "KRACK", VU#228519 [ ref:_00D606uBw._5000d1FpHsv:ref ]

 

Greetings,

 

Thank you for contacting Cisco Meraki Technical Support.

 

The firmware upgrade for the 802.11r aka KRACK/WPA2 vulnerability did come out but it was for Wireless Appliances that offer 802.11r.

 

Since Z1 appliances do not support 802.11r, we do not need to upgrade firmware for this particular issue.

 

Also I am attaching some documentation regarding KRACK/WPA2 vulnerability:

   802.11r Vulnerability FAQ
   https://documentation.meraki.com/zGeneral_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-...

 

Please let me know if you have any other questions or concerns and and I'd be happy to help.

Thank you,

Best Regards,

Roshan Shankar 
Cisco Meraki Technical Support

@MarcoS Thank you!

@MarcoS, the MX64W has not been updated and is still vulnerable.
Can you clarify what Meraki recommends for the MX64W and MX65W models?
Thanks.

Hi @Squuiid,

 

You can find this information at the very end of the document linked above.

 

"Are MX devices with wireless capabilities affected?
No. MX devices do not support 802.11r and are not affected by the vulnerability."

 

Regards,

Marco

@MarcoS Apologies, I had missed that, and thanks for the quick reply.
Meraki's response to this has been exemplary and a model to other vendors.
Thank you.

@Squuiid @MarcoS Agreed! This is really great to see how well prepared Meraki was for this. 

Looks like this is linked on the dashboard now.

 

IMPORTANT SECURITY UPDATE: A new security vulnerability in 802.11r has been recently discovered and documented as CVE-2017-13082 that makes Access Points with 802.11r enabled vulnerable to attacks. Click here to learn more. A list of any affected networks can be found in the Help menu. If you do not use 802.11r, you are not affected.

If only Cisco had been as prepared with their Aironet devices:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
Fix release date for almost all current products is listed as TBD.

Do realise that fixing the infrastructure devices is not enough. Every single client has to also be fixed. In fact, fixing the clients will have a greater impact than patching the infrastructure devices.