Knowledge Base

 
Reset Search
 

 

Article

Security Update: WPA and WPA2 Vulnerabilities (KRACK)

« Go Back

Information

 
Content

Security Update: WPA and WPA2 Vulnerabilities

October 18, 2017

Summary

A WiFi vulnerability issue has been published that affects WPA and WPA2 authentication. This security vulnerability is in a WiFi security protocol (WPA/WPA2) which Cradlepoint and most, if not all, Wi-Fi devices use. With Cradlepoint, it has limited attack surfaces. However, customers should mitigate the potential threat using the information below.  

 

Cradlepoint is incorporating a patch that addresses this vulnerability and expects to release NetCloud OS 6.4.2 Tuesday, October 31, 2017.

What is it?

The Key Reinstallation Attack (named KRACK by its authors) was published earlier this week by security researchers. It allows attackers within range of a WiFi access point the ability to monitor data sent between a WiFi client and an Access Point. 

 

Our analysis of this exploit is that Cradlepoint router AP functionality is not at risk, but WiFi-as-WAN and WiFi Client Mode functionality is at risk.  Along with our Wireless driver vendors and WiFi Authentication services, we are updating our routers to mitigate this issue.

 

For more information, please see

  1. http://www.kb.cert.org/vuls/id/228519
  2. https://www.krackattacks.com

The related CVEs are:

 

CVE-2017-13077

Reinstallation of the pairwise key in the Four-way handshake

CVE-2017-13078

Reinstallation of the group key in the Four-way handshake

CVE-2017-13079

Reinstallation of the integrity group key in the Four-way handshake

CVE-2017-13080

Reinstallation of the group key in the Group Key handshake

CVE-2017-13081

Reinstallation of the integrity group key in the Group Key handshake

CVE-2017-13082

Accepting a retransmitted FT Reassociation Request and reinstalling the pairwise key while processing it

CVE-2017-13084

Reinstallation of the STK key in the PeerKey handshake

CVE-2017-13086

Reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake

CVE-2017-13087

Reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

CVE-2017-13088

Reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame


What Cradlepoint devices are affected?

All currently supported products that support WiFi are affected. 

 

AER

COR

OTHERS

AER3100

IBR1100

MBR1200B

AER2100

IBR900

 

AER1600

IBR600

 

 

IBR600B

 

 

IBR600C

 

 

Please note the CBA850 and other products with no Wi-Fi are not affected.

Mitigation Steps: what actions do I take?

  1. If you do not use WiFi-as-WAN or Wi-Fi Client functionality, no action is necessary. However, we suggest you update to the 6.4.2 release when it is available.
  2. If you use WiFi-as-WAN or Wi-Fi Client functionality, ensure that your attached clients use VPN or HTTPS connections to encrypt their traffic. Or, set up an IPSec tunnel from the router to encrypt traffic.
  3. If you use NetCloud Manager, you can set up Rogue AP detection and monitor the results.

Upgrading to New Firmware

At Cradlepoint, protecting your network is our first priority.

 

NetCloud OS Patch Availability

  • 6.4.2 (Available Oct 30, 2017) – All products listed above
    • Please note that four products have fixes for the most severe KRACK vulnerabilities, but still have issues with a group key replay.
      • IBR1100, IBR600, IBR600B, MBR1200B
      • All vulnerability tests pass except for a subset related to a vendor group key replay issue, which will be fixed in a follow-up release.  This specifically affects multicast and broadcast traffic, which is rare.  SSDP (UPnP), IPTV, and Apple Bonjour are examples of multicast and broadcast traffic.  Unicast traffic, which generally accounts for much of secure traffic in the system, has been fixed.
  • 6.4.3 (Available Dec 11, 2017) - IBR900/IBR950 - FIPS
  • 6.5.0 (Available Feb. 2018) - IBR1100, IBR600, IBR600B, MBR1200B

To upgrade your firmware:

  1. For instructions on upgrading firmware using NetCloud Manager, click here.
  2. For instructions on upgrading firmware using the Automatic Update capability in the router user interface, click here.
  3. If you want to download new firmware and manually update using the router user interface, click here.

For more information, contact your Cradlepoint Support Representative by opening a case in the Cradlepoint Connect Portal.

 

 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255