Solved: Re: WLC 5520 KRACK Attack WPA2 Vulnerability (Fast Transition configured)

mon08 · ‎10-17-2017

We have some SSID's broadcast using WPA2 authentication and have "Fast Transition" configured.

Recently KRACK Attack vulnerability is released. does this security vulnerability have patch already?

TIA

Leo Laohoo · ‎10-23-2017

Software fix for the KRACK vulnerability is now available for download. They are 8.0.152.0, 8.2.164.0, 8.3.132.0 and 8.5.105.0.

View solution in original post

Leo Laohoo · ‎10-17-2017

Cisco will be releasing a fix very soon.

Remember that this vulnerability affects not just the APs but any wireless client with a wireless NIC. So patching the APs won't fix the issue as the wireless client(s) needs to be patched as well.

ssaeger · ‎10-17-2017

I was under the impression if one side was fixed (either client or AP infrastructure) then the vulnerability could not be exploited

patoberli · ‎10-17-2017

See here for more information: https://supportforums.cisco.com/t5/security-and-network-management/severe-flaw-in-wpa2-protocol-krack-attack/td-p/3199201

Divya · ‎10-20-2017

Hi Mate,

If you have a WLAN with FT(802.11r) enabled, please follow the work around provided in this Cisco security advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa#workarounds, Please subscribe to notifications of this document for the latest news and fixes.

Disabling FT (802.11r) on the AP/WLC side is an effective workaround to the AP side vulnerability, and the client-side vulnerabilities will need to be addressed on the client side.

Regards,

Divya

Leo Laohoo · ‎10-21-2017

Here is schedule of software fix release dates.

patoberli · ‎10-21-2017

Cisco just updated their advisory, their previously released patch is not 100% ok, they will release another updated version.

Leo Laohoo · ‎10-23-2017

Software fix for the KRACK vulnerability is now available for download. They are 8.0.152.0, 8.2.164.0, 8.3.132.0 and 8.5.105.0.

ssaeger · ‎10-24-2017

Yes. Most of the patches were released on 10/21.

Steve Saeger
Director, Network/Telecom
Mercy
3637 S. Geyer Rd.
St. Louis, MO 63127
Office: 314-364-3240 | Email: steven.saeger@mercy.net

mon08 · ‎10-24-2017

Thanks Steve.

Leo Laohoo · ‎10-29-2017

A quick update to anyone reading this thread and intending to upgrade to 8.3.132.0:
Cisco TAC has recommended anyone to HOLD OFF upgrading to 8.3.132.0. TAC has identified a Severity 1 bug which causes the controller to crash after upgrading to 8.3.132.0.
There are no reported issues in regards to other versions.

mon08 · ‎11-02-2017

Hi Leo,

Thanks for the heads-up, we'll postpone our scheduled upgrade then and wait for the stable update.

-
Cheers,
Mon

patoberli · ‎11-02-2017

FYI, Cisco just informed about 4 new security issues which can cause DoS with reload (but no remote code execution).
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-aironet1
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-aironet2
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-wlc1
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-wlc2
All those new issues are fixed in the following releases:
Prior to 8.0 Not vulnerable
8.0.152.0
8.2.164.0
8.2.164.0
8.3.132.0
8.4.100.0
8.5.110.0 (future release)