>

Issue

Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a victim wireless access point (AP) or client. After establishing a man-in-the-middle position between an AP and client, an attacker can selectively manipulate the timing and transmission of messages in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence reception or retransmission of messages. Depending on the data confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP) and situational factors, the effect of these manipulations is to reset nonces and replay counters and ultimately to reinstall session keys. Key reuse facilitates arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.

For additional information, please see:

CERT Vulnerability Note VU#228519: Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
KRACK Attacks

Please note: To receive real-time updates on this article, please click the Subscribe icon in the upper right corner of this article. Updates will be emailed to you as they are published. For additional information on how to subscribe, see S22384.

Solution

SteelHead | SteelCentral |SteelFusion | SD-WAN | Xirrus WiFi

 


SteelHead products 

Product Status Fixed Release (expected release date)
SteelCentral Controller for SteelHead Not Vulnerable Not Vulnerable
SteelCentral Controller for SteelHead Mobile Not Vulnerable Not Vulnerable
SteelHead CX (appliance, virtual, cloud) Not Vulnerable Not Vulnerable
SteelHead Interceptor Not Vulnerable Not Vulnerable
 

SteelCentral products 

Product Status Fixed Release (expected release date)
AirPcap Not Vulnerable Not Vulnerable
AppCapacity PENDING PENDING
AppInternals Not Vulnerable Not Vulnerable
AppMapper Not Vulnerable Not Vulnerable
AppResponse Not Vulnerable Not Vulnerable
AppSQL PENDING PENDING
Aternity PENDING PENDING
Flow Gateway Not Vulnerable Not Vulnerable
Modeler PENDING PENDING
NetAuditor PENDING PENDING
NetCollector PENDING PENDING
NetExpress Not Vulnerable Not Vulnerable
NetPlanner PENDING PENDING
NetProfiler Not Vulnerable Not Vulnerable
NetSensor PENDING PENDING
NetShark Not Vulnerable Not Vulnerable
Packet Analyzer Not Vulnerable Not Vulnerable
Portal Not Vulnerable Not Vulnerable
Report Server PENDING PENDING
Transaction Analyzer Not Vulnerable Not Vulnerable
UCExpert PENDING PENDING
WebAnalyzer Not Vulnerable Not Vulnerable
 

SteelFusion products 

Product Status Fixed Release (expected release date)
SteelFusion Core (appliance, virtual) Not Vulnerable Not Vulnerable
SteelFusion Edge Not Vulnerable Not Vulnerable
SteelHead EX Not Vulnerable Not Vulnerable
 

SteelConnect products 

Product Status Fixed Release (expected release date)
SteelConnect Access Point SteelConnect SDI-AP5 and SDI-AP5r, running 2.9.0 and earlier. 2.9.1 (TBD)
SteelConnect Gateway SteelConnect SDI-130w running 2.9.0 and earlier.
Other gateways (SDI-130, SDI-330, SDI-1030, SDI-5030, SDI-VGW) are not vulnerable.
2.9.1 (TBD)
SteelConnect Manager Not Vulnerable Not Vulnerable
SteelConnect Switch Not Vulnerable Not Vulnerable
Xirrus Vulnerable Additional Information

Xirrus WiFi
Frequently Asked Questions (FAQ)

  1. Does this vulnerability only impact networks using the TKIP cipher?
    No, all cipher suites such as TKIP, AES and GCMP are impacted by this vulnerability
     
  2. Do we need another protocol, such as a new version of WPA2?
    No, the existing protocol is secure with appropriate implementation modifications. Both client and access point software can be patched with software fixes to address the issue. 
     
  3. Does this vulnerability impact both WPA and WPA2?
    Yes, both are impacted by this vulnerability which exists in the key handshake.
     
  4. Are my Wi-Fi devices – smartphones, laptops, tablets, etc. – vulnerable?
    Likely your devices are vulnerable until you have implemented appropriate security updates from the device vendors. Contact your vendors to validate.
     
  5. Should I shut down my Wi-Fi network until this is fixed?
    No, the vulnerability is in the 4-way handshake that is part of the process for a device to connect to a Wi-Fi network. It does not exploit access points but rather targets clients. Disabling 802.11r (fast roaming) can reduce the exposure to this vulnerability while Riverbed Xirrus make the access point patch available through our support website. 
     
  6. What action should I take on my Wi-Fi network?
    Applying the appropriate software patches when available is the permanent solution. In the meantime, we recommend you take a few immediate steps to reduce the risk:
    • Turn off TKIP
    • Turn off 802.11r
    • Enable 802.11w
       
  7. Are other vendors impacted by this vulnerability?
    Yes. Industry reports indicate that all Wi-Fi vendors are impacted by this vulnerability.
     
  8. How will I know when the patch for Xirrus APs is available?
    We will communicate the status of software patches to our customers when available. You can get information through all the means listed below:
    • A customer advisory will be sent to Riverbed Xirrus customers.
    • APs managed by the XMS-Cloud will automatically receive the software patch. APs for customers who have configured specific upgrades windows will receive upgrades during the configured windows.
    • An announcement will be displayed when you log into XMS-Cloud.
    • You will be notified of the new software package if you have set up notification on your support community profile.
    • Announcement will be posted on Xirrus support community
       
  9. Can this vulnerability be easily exploited by an individual with malicious intent?
    KRACK is a man in the middle attack and a person executing it will have to have the appropriate equipment and software, and physically be at a given location to access the Wi-Fi signal. This attack cannot be carried out remotely. Riverbed Xirrus takes security threats seriously and recommends that you upgrade the software of your Xirrus APs to latest version as soon as they are released.
     
  10. Does this vulnerability impact the AP, client device or both?
    This is a client side vulnerability, meaning, communications from the Wi-Fi device to the AP can be compromised. However, software patches are applicable to both the client and AP infrastructure. We strongly recommend patches be deployed to both when available. 
     
  11. Where can I get more information on this vulnerability?
    Visit Xirrus support community for additional information on the impact on Xirrus APs and available solution.
Security Advisory
On October 16, 2017, a research paper was made public by Dr. Mathy Vanhoef from the IMEC-DistriNet Research Group of KU Leuven in Belgium that uncovered security vulnerabilities in key negotiations in both the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) protocols. The vulnerabilities, most commonly known as KRACK, are associated with the process used for negotiating encryption keys used by the client and access point and may allow reinstallation of these keys.

Scope of Impact:
While both Wi-Fi access points and Wi-Fi clients using WPA or WPA2 security are impacted, most of the vulnerabilities affect client devices. If exploited, it enables potential eavesdropping on communications from the client-to-AP (but not access point-to-client) for someone in range of a Wi-Fi network. Of the most common operating systems, Android devices have exposure to the issue. Microsoft Windows and iOS devices are only affected if 802.11r roaming is in use. WPA/WPA2 security is not fundamentally broken by the issue and the vulnerability can be addressed with a software patch.

Current Status:
Riverbed Xirrus was made aware of the vulnerability in advance of the public notice and has conducted an evaluation of the impact to Xirrus product portfolio. We have issued a software patch to fix the vulnerability in our access points.

Action to Take:
KRACK exploits the communication from the client device to the AP, but not the other way around. The most important preventative action to take is to ensure your client devices are patched against this vulnerability. The issue can be addressed on Xirrus access points by applying a software patch or with workarounds by disabling specific features.

We recommend the following specific actions for Riverbed Xirrus customers:
  • Ensure your Wi-Fi clients are patched and kept up to date. Some client manufacturers have issued patches while others are rolling out over time.
  • Apply the AOS software patch to your Xirrus APs. More details on this are available below in this document.
  • Turn off 802.11r roaming if possible. 802.11r is disabled by default in Xirrus software. Disabling 11r removes the AP vulnerability for Windows and iOS devices. Windows and iOS clients also still need to be updated to remove all vulnerabilities.
  • Turn off WDS if possible. Together with disabling 802.11r, this will eliminate the vulnerability for Xirrus access points as a workaround until a patch is issued.
  • Turn off TKIP encryption. While TKIP usage is not common, check if it is enabled on your network.
In general, we recommend using https and/or VPNs as a best practice when connecting to public or other Wi-Fi networks outside your company/organization.

Security Fix:
On October 31, 2017, Xirrus released a security patch for the “KRACK” vulnerability for access points running main line AOS software. 

For Xirrus customers using XMS-Cloud, there are two options:
  • By default, Xirrus will automatically push the access point software update between October 31 - November 2, 2017 during the normal maintenance window, typically 11 PM to 3 AM in your local time zone.
  • If you want to control when your access points are updated, set the maintenance window under the upper right hand drop down in Settings – Firmware Upgrades.
For Xirrus customers using XMS-Enterprise or CLI/WMI to manage APs directly, the patch is available through the Xirrus Customer Support Community. From there it can be downloaded and your access points upgraded.

Patch Release:
Access Points Release Date (Main Line) Release Date (Technology Line)
XR/XD/XA/XH APs (except below) Version 8.3.5
October 31, 2017
Version 8.4.3
November 20, 2017
XD2-230 APs Version 8.4.3
November 20, 2017
Version 8.4.3
November 20, 2017
XR-320 and X2 APs Version 8.2.4
November 30, 2017
Version 8.4.1
November 30, 2017

If you have any questions or concerns about the upgrade process, contact Customer Support via the Support Community.

Customer Support Community:
The Xirrus Customer Support Community contains a wealth of information regarding Xirrus products including the latest software releases, security bulletins, how-to guides, product announcements, tech tips and 24/7 access to your support tickets. If you have any questions regarding this security vulnerability please contact Customer Support via the Support Community.

Thank you,
Xirrus Customer Support support@xirrus.com
 
United States and Canada +1.800.947.7871 (US Toll Free) or
+1.805.262.1600 (Direct)
Europe, Middle East, and Africa +44.20.3239.8644
Australia 1.300.947.787 (Within Australia)
Asia and Oceania +61.2.8006.0622
Latin, Central, and South America +1.805.262.1600
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Last Modified: 2017-12-04
Can't find an answer? Create a case