Hi,
So this has been blowing up on Twitter, and does seem to be a pretty serious flaw with WPA2 rendering it pretty unusable for a security perspective. A few sites referencing this issue:
Additionally, it looks like Ubiquiti have a firmware patch in the works to mitigate the issue.
For reference, here are the CVE numbers from the krackattacks.com page from above:
What's the response from you guys regarding the possibility of getting this patched on our networks? (that is if a patch is possible, alternatively, what alternative authentication system do you recommend)
Cheers,
Rob
Solved! Go to solution.
Hi all,
Please refer to the following article for an explanation of the vulnerability and the firmware fix:
UPDATE 2pm PDT 16 Oct: Our blog post is the source of the most up-to-date information; please refer there first.
Regards,
Marco
Other vendors (Ubiquiti, Aruba, and even Netgear!) have already released updated firmware patching this vulnerability.
Why is Meraki lagging behind?
I spoke to Meraki Support this morning and they stated the following:
The issue is mitigated in 24.11, which is released and stable at this time. They also recommended disabling 802.11r on all SSIDs as part of the fix.
Reply @ModulusJoe:
Ah, handy. That hasn't fed back to me yet. Good to hear that it was fixed. Wonder what their official press release will say...
The MX64W has not been updated and is still vulnerable.
The last stable firmware for it, MX12.24, was released Dec 22, 2016.
@Squuiid wrote:The MX64W has not been updated and is still vulnerable.
The last stable firmware for it, MX12.24, was released Dec 22, 2016.
MXs with built-in WiFi are not vulnerable, as they do not support 802.11r
@GreenMan that is a false sense of security saying it is not vulnerable because it does not support 802.11r. The issue affects more than just 802.11r. The issue is more fundamental. An worse still - it is the clients that are most vulnerable. It is more important to get every client patched.
My understanding was that it affected networks other than 802.11r. But what do I know I'm not on the Meraki Engineering staff.
@Warren it absolutely affects more than just 80211r. It fundamentally affects WPA[1|2].
My Z1 was updated today to MX 14.17:
@GreenMan It is refreshing to get such excellent responses from a vendor forum.
Thank you and well done Meraki!
Hi MM,
Unfortunately it's not possible for WiFi infrastructure to detect WiFi clients which are vulnerable to the KRACK issues that relate to them (see the last but one entry in our FAQs doc, covering this: https://documentation.meraki.com/zGeneral_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-...
No problem...
@PhilipDAth wrote:@GreenMan that is a false sense of security saying it is not vulnerable because it does not support 802.11r. The issue affects more than just 802.11r. The issue is more fundamental. An worse still - it is the clients that are most vulnerable. It is more important to get every client patched.
Hi Philip - while it is very true to say that clients are the most vulnerable, the original point made was about MX appliances with built-in Wi-Fi. As neither MX6xWs, nor Z1/Z3, have client-type capability (e.g. WorkGroup bridge), then only the KRACK flaw affecting Access Points is pertinent to MX & Zs. As that specific flaw is bound up with 802.11r - and neither MXs nor Zs support 11r (11r being a roaming technology - whereas MX6xW provide 'standalone' Wi-Fi), there was nothing to fix. Thanks for re-iterating a key takeway though; get your clients patched ASAP!
Z1 is also not listed. I have one running MX 14.15 and not sign of a new vesion. Scheduler lists 13.24 as latest beta and 12.26 as stable candidate ... go figure why the version is lower than what I'm running.
That's how it is the with the firmware updater. If you want options other than what is shown you have to call support. Just be glad that the firmware version is no longer a "trade secret" and kept under lock and key by Meraki.
As I have mentioned, I get the distinct feeling that this may be because a patch to this issue was silently rolled into OpenBSD far earlier than other developers were allowed to. If Meraki OS is BSD based, it could have got the patch then. (Source: https://www.krackattacks.com)
Comments from other community memebers that version 24.11 does include a fix.
Can Meraki provide official statement here to confirm that fix is included in 24.11 ??
@ruben_z8 No they don't explicitly call it out but if it was a silent deploy, like OpenBSD, that is to be expected. Also the last line item "Enhancements to 802.11r implementation" is pretty vague 🙂
@ModulusJoe Was Support suggesting that moving to 24.11 wasn't enough and that disabling 802.11r is ALSO required?
They did, but reading the official post it sounds like that needed to be disabled before and can be re-enabled post install of the fix version.
As an update, I have raised a support case covering this issue on my account, and I have been told Meraki will provide an update on the issue "shortly".
Has anyone been able to try to exploit this vulnerability yet? I am offsite, so can't at the moment, however OpenBSD has been patched for ages so we *may* potentially already be patched depending on what the upstream for the Meraki network OS is. Wasn't Meraki mesh originally based off of OpenWRT (based off FreeBSD) or something when it was in research stages at MIT?
9:45am EST - spoke with support - he said it has not been resolved for the MX64W series, and then presumably the Z1 as well. He said that they hope to have an announcement in 30 minutes or so.
I've just received this response from Meraki Technical support:
Our engineering team have informed me that the fix for this is in firmware MR25-7 and above. You may schedule the firmware upgrade from within the "Network-Wide -> Configure -> General -> Firmware Upgrades" section of Dashboard.
Got this message from support:
---------- Forwarded message ----------
From: support@meraki.com <support@meraki.com>
Date: Thu, Oct 19, 2017 at 9:39 PM
Subject: Cisco Meraki Case 02119545: Z1 update for "KRACK", VU#228519 [ ref:_00D606uBw._5000d1FpHsv:ref ]
Greetings,
Thank you for contacting Cisco Meraki Technical Support.
The firmware upgrade for the 802.11r aka KRACK/WPA2 vulnerability did come out but it was for Wireless Appliances that offer 802.11r.
Since Z1 appliances do not support 802.11r, we do not need to upgrade firmware for this particular issue.
Also I am attaching some documentation regarding KRACK/WPA2 vulnerability:
802.11r Vulnerability FAQ
https://documentation.meraki.com/zGeneral_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-...
Please let me know if you have any other questions or concerns and and I'd be happy to help.
Thank you,
Best Regards,
Roshan Shankar
Cisco Meraki Technical Support
Hi all,
Please refer to the following article for an explanation of the vulnerability and the firmware fix:
UPDATE 2pm PDT 16 Oct: Our blog post is the source of the most up-to-date information; please refer there first.
Regards,
Marco
@MarcoS, the MX64W has not been updated and is still vulnerable.
Can you clarify what Meraki recommends for the MX64W and MX65W models?
Thanks.
@MarcoS Apologies, I had missed that, and thanks for the quick reply.
Meraki's response to this has been exemplary and a model to other vendors.
Thank you.
Looks like this is linked on the dashboard now.
IMPORTANT SECURITY UPDATE: A new security vulnerability in 802.11r has been recently discovered and documented as CVE-2017-13082 that makes Access Points with 802.11r enabled vulnerable to attacks. Click here to learn more. A list of any affected networks can be found in the Help menu. If you do not use 802.11r, you are not affected.
If only Cisco had been as prepared with their Aironet devices:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
Fix release date for almost all current products is listed as TBD.