Wi-Fi Key Reinstallation Attack “KRACK” Update: Protecting Unpatched Devices

Summary
On October 16, 2017, security researchers announced several vulnerabilities in the WPA/WPA2 encryption protocol that affect countless Wi-Fi enabled devices worldwide. As a result of KRACK, Wi-Fi data streams, including passwords and personal data, can be intercepted, decrypted, and modified without a user’s knowledge. This security flaw means that, for vulnerable clients and access points, WPA- and WPA2-encrypted Wi-Fi traffic is potentially exposed until certain steps are taken to remediate the issue.

Presently, there are 10 known vulnerabilities that comprise KRACK. WatchGuard is providing patches for all of our affected products. For non-WatchGuard devices, users should refer to their vendor’s website and security advisories to determine if they are affected, and if updates are available. Even though most companies will provide patches, it’s likely that unpatched devices will interact with your network and expose you to risk. WatchGuard offers additional methods to protect unpatched client devices from KRACK.

How to Mitigate KRACK
The steps below describe recommended actions to protect your network from KRACK vulnerabilities in various scenarios, including from unpatched client devices.

  1. Update your access point (AP) firmware (10/30/17)
    • WatchGuard will provide patches for all supported APs and tabletop appliances with embedded wireless APs.
  2.  

  3. Enable “Mitigate WPA/WPA2 key reinstallation vulnerability in clients” feature. The AP can compensate for the unpatched clients with this setting enabled. Mitigation is recommended only until all clients are patched.
    • AP managed by GWC: Available for the AP120, AP320, AP322, and AP420 with the upcoming 10/30/17 patch.
    • AP managed by Wi-Fi Cloud (link to WatchGuard Knowledge Base article is below).
    • Firebox with built-in Wi-Fi: Available on the T-10W, T-10W, and T-50W with TBD firmware update.
    • In a small percent of cases, mitigation may exacerbate client connectivity issues in environments already suffering from weak signal coverage or high interference.
  4.  

  5. Enable “AP MAC Spoofing Prevention” setting in Wi-Fi Cloud WIPS policy.
    • AP managed by GWC: manage your APs with a Wi-Fi Cloud license and acquire dedicated WIPS sensors for your environment.
    • AP managed by Wi-Fi Cloud: enable setting in the management interface.

 

Additional Information


Source: WatchGuard

The Week in Crypto: Bad News for SSH, WPA2, RSA & Privacy

KRACK, ROCO, exposed SSH keys and the European Commission’s loosey-goosey stance on backdoors have made it a rough week for cryptography. Here’s your wrap-up on the best of the worst.
Source: Vulnerabilitys & Threats

Accelerate Adoption of Remote Care to Dramatically Reduce Costs

There are many challenges to the long-term viability of our healthcare systems. An increasingly older and growing population demanding care amid a shortage of qualified personnel. A shift from infectious to more costly chronic disease management. An evolving policy and regulatory landscape. How can these challenges of cost, quality, and access be addressed?

Providers are increasingly turning to remote care for the answer. The potential of remote care is well documented: It can reduce hospital admissions by as much as 40% while cutting U.S. employer healthcare costs by as much as $6 billion annually.

The benefits seem intuitive enough. By moving healthcare delivery beyond the hospital or clinic and closer to patients, providers can engage more frequently and gather data continuously. This allows them to design better and more proactive and personalized treatments without unnecessary and costly office visits or hospital admissions. And it enables patients to participate more in managing their own health, monitoring their vitals to make smarter decisions that can improve their quality of life.

So why is remote care delivery still not ubiquitous? While its use is increasing, widespread adoption still faces barriers. Foremost among them are security and privacy concerns, integration with existing workflows and technology, and solution flexibility that doesn’t sacrifice reliability and predictability.

But now there’s a new solution that can help address these concerns and help usher in a new generation of remote patient care.

Introducing the Intel Health Application Platform—software that, when coupled with an Intel-architecture-based design specification implemented by a third-party hardware vendor such as Flex, can help enable healthcare solution providers to securely and reliably deliver distributed healthcare services across an always-connected and ever-expanding healthcare edge and to any cloud.

When combined with a third-party hardware design, the Intel Health Application Platform can empower the healthcare industry to develop novel and exciting products and services that require enterprise-grade stability, security, and longevity. All while lowering TCO and delivering better user experiences. Once developed and deployed by healthcare solution providers, these solutions can give care providers access to a new breed of flexible yet robust solutions that can help them provide more informed and proactive diagnoses and treatments.

Intel is helping enable smarter approaches to healthcare delivery at the edge and a new standard for remote patient care.

To stay informed about Intel IoT developments, subscribe to our RSS feed for email notifications of blog updates, or visit intel.com/IoTLinkedInFacebook and Twitter.


Source: Network News

The Catch-22 of Security Software

Malicious actors are constantly developing new and improved methods to attack companies. Innovations in security software help organizations to defend against the dynamic world of information security threats, but this protection comes with inherent drawbacks.

One of these drawbacks is that security solutions can require significant access to systems and networks to assess whether or not suspicious activity is present. Further, researchers for security vendors often need to be able to review samples and dig deep to find clues pointing to new threats. Companies receive the benefits of this access and research but should also be aware of the potential risks.

The worst case scenario of the risk associated with this kind of technology was recently brought into the spotlight by the news that Russian intelligence officers exploited the antivirus software of Kaspersky Lab, a private Russian cybersecurity company, to steal sensitive American documents. After news like this, the question on many people’s minds is, do security technologies such as antivirus software still have a place in cyber defense considering the risks the software itself poses?

The answer is more complicated than a simple yes or no. Going with or without one solution or another will always present risks either way, but at some point a company will have to accept some risk. Rather than foregoing any protection at all or drastically limiting the effectiveness of investments made in their security solutions, companies can educate themselves on the potential risks involved with different security solutions and vendors and seek to mitigate those risks as much as possible.

Businesses take different factors into account when selecting and vetting business partners, and choosing a security vendor should be no different. Asking key questions of vendors helps to ensure that both parties are protected in their relationship. Questions such as how they monitor their own systems and networks, what the expectations are as far as disclosure of their own significant security events, and how they handle access to customer data are all helpful in establishing an understanding of how they operate. References, audits, and certifications are also valuable tools in establishing background on risks and potential insights on mitigations for those risks.  

What can’t happen with current technology is the Nirvana of expecting security vendors to deliver on the promise of protecting against the plethora of ever-changing security threats without giving them any visibility into systems and/or networks. There is a trade-off here and it’s up to companies to decide what risk is acceptable and what isn’t. Is the risk of not running antivirus software greater than the risk of giving that software full access to the systems it protects? If full access isn’t given, how can it be expected to protect what it can’t see? How many other security products essentially present this same risk dilemma? Who wants to explain to management that their decision to rid the company of antivirus software likely led to a missed infection leading to a front-page breach?

Simply avoiding security software requiring broad access probably isn’t the best answer. Asking the right questions of these vendors and taking appropriate steps internally to mitigate associated risks is the better path. It’s completely acceptable to expect a certain amount of responsibility with this access on the part of vendors, but it’s also reasonable to expect that, despite their best efforts, they too may be compromised or have security flaws turn up in their products just like any other organization.


Source: Honeypot Tech

Hak5 2306 – Bash Bunny Phishing Attack With Hamsters

Hak5.org/live to watch the event announcement live!
Hak5.org/rsvp to come to our San Francisco event.

——————————-
Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ
——————————

Source: Security news


Source: Zologic

Oracle Fixes 20 Remotely Exploitable Java SE Vulns

Quarterly update for October is the smallest of the year: only 252 flaws to fix! Oracle advises to apply patches ‘without delay.’
Source: Vulnerabilitys & Threats

WPA2 Wi-Fi Vulnerable to KRACK Hack; RSA Keys Broken – ThreatWire

Krack is bad for WiFi, Equifax loses their IRS contract, and an RSA crypto key is vulnerable to being reverse engineered. Today on ThreatWire.

——————————-
Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ
——————————

https://www.krackattacks.com/
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
https://github.com/kristate/krackinfo
https://www.wired.com/story/krack-wi-fi-wpa2-vulnerability/
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/
https://www.theverge.com/2017/10/16/16481818/wi-fi-attack-response-security-patches

Equifax Takes Down Compromised Page Redirecting to Adware Download

Equifax Credit Assistance Site Served Spyware

https://www.cnet.com/news/equifax-website-ads-served-adware-malware-expert-finds/
https://randy-abrams.blogspot.com/2017/10/new-equifax-website-compromise.html
https://www.cnet.com/news/irs-reportedly-suspends-7-2-million-equifax-contract/
https://arstechnica.com/tech-policy/2017/10/after-second-bungle-irs-suspends-equifaxs-taxpayer-identity-contract/

https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/
https://en.wikipedia.org/wiki/Coppersmith%27s_attack
https://www.yubico.com/keycheck/
https://keychest.net/roca

Youtube Thumbnail credit:
https://static.pexels.com/photos/7101/wood-coffee-iphone-notebook.jpg

Source: Security news


Source: Zologic

Reuters: Microsoft's 2013 Breach Hit Bug Repository, Insiders Say

Five anonymous former Microsoft employees tell Reuters that Microsoft’s database of internally discovered vulnerabilities was compromised in 2013, but Microsoft will not confirm it occurred.
Source: Vulnerabilitys & Threats

WTB: WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping

The intelligence in this week’s iteration discuss the following threats: Data breach, Malware, Malvertising, Phishing, RAT, Support scam, Threat group, Vulnerabilities, Wi-Fi, and Zero-day. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping (October 16, 2017)
Security researchers have discovered a vulnerability that affects nearly every Wi-Fi enabled device. The vulnerability, dubbed “KRACK” (Key Reinstallation Attack), resides in the WPA2 protocol that is commonly used in securing wireless networks. Specifically, the flaw lies in the protocol’s four-way handshake which allows new devices with a pre-share password to join the network. An actor would first need to trick an individual into reinstalling a cryptographic nonce, a randomly generated number used to prevent replay attacks, that already exists. A reused nonce can allow a threat actor to attack the encryption of the protocol which could lead to hijacked connections and injected content into the network traffic stream.
Recommendation: Your company should be on the lookout for the necessary security patches and apply them as soon as possible, some companies and already issued patches. Additionally, measures should be in place to monitor your company’s traffic for any potential malicious activity.
Tags: Vulnerability, Wi-Fi

Decoy Microsoft Word Document Delivers Malware Through A RAT (October 13, 2017)
MalwareBytes researchers have discovered that threat actors are using malicious Microsoft Office documents, that require no user interaction, to infect users with a Remote Administration Tool (RAT). The RAT is a commercial tool known as “Orcus RAT” that is being used for malicious purposes. Using this tactic, the Office documents can appear benign. If an individual opens the Word document, it will trigger an automatic download of a malicious RTF files that deploys the exploit “CVE-2017-8759” to deliver the payload.
Recommendation: Ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, the patch for CVE-2017-8759 should be applied as soon as possible if it has not been already.
Tags: Malcicious Word document, RAT

Hyatt Suffers Second Card Data Breach in Two Years (October 13, 2017)
The multinational hotel operator, “Hyatt,” has acknowledged that some of their locations were compromised by unknown actors. Hyatt discovered that unauthorized access to payment card information, that was entered manually or swiped at front desks, occurred between March 18 and July 2, 2017. The breach affects 41 locations in 11 countries. As of this writing, it is unknown how many people may be affected by this incident.
Recommendation: POS Security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the POS system should occur along with a formal incident response investigation.
Tags: Data breach, Data theft, Hyatt

Equifax Website Hacked Again (October 12, 2017)
Security researcher, Randy Abrams, discovered that on October 11, 2017, The U.S.-based credit bureau “Equifax” had its website compromised. Abrams discovered that for several hours, on October 11, and again on October 12, the Equifax website was offering visitors a fake Adobe Flash update. If a user downloaded the update, they would be infected with adware.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Additionally, policies should be in place for webmaster to apply updates as soon as possible from the official vendor websites.
Tags: Website compromise, Equifax

PDF Phishing Leads to NanoCore RAT, Targets French Nationals (October 12, 2017)
A new phishing campaign has been identified to be targeting French nationals, according to Fortinet researchers. The actors are using phishing emails that purport to be banking loan offers. The emails have PDF file attachments that contain embedded JavaScript that will download an HTA file from a Google Drive shared link. The HTA file will drop and subsequently execute “NanoCore” Remote Access Trojan (RAT) payload.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link or open an attachment can often be indicative of a phishing attack.
Tags: Phishing, RAT, Nanocore

Spoofed SEC Emails Distribute Evolved DNSMessenger (October 11, 2017)
Cisco Talos researchers have published additional information regarding threat actors spoofing emails from the U.S. Securities Exchange Commission (SEC) to deliver malware. Researchers have observed that actors are now spoofing emails to make them appear to be from the SEC’s Electronic Data Gathering Analysis and Retrieval (EDGAR) system. The emails contain a malicious attachment that begins the infection process when opened that leads to infection with “DNSMessenger” malware.
Recommendation: The impersonation of government agencies continues to be an effective phishing tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. in the case of infection, the affected system should be wiped and reformatted. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
Tags: Phishing, SEC, Spoofed email, Malware, DNSMessenger

Equifax: Up to 15 Million More at Risk (October 11, 2017)
The U.S.-based credit bureau “Equifax” has added additional information regarding the breach it suffered in September. The bureau has now stated that it believes that approximately 15.2 million U.K. records were affected, specifically, individuals who were entered into its database between 2011 and 2016. Researchers state that out of the 15.2 million, 693,665 individuals are categorized as “high-risk.” After news of the breach was reported in September, Equifax had first stated that approximately 400,000 U.K. consumers were affected.
Recommendation: With nearly half of the U.S. population, and a significant increase in U.K. individuals affected by this breach, it is important for individuals to check to see if they are affected by using the following website “https://www.equifaxsecurity2017.com/potential-impact/”. Affected individuals in the United Kingdom will have letters sent to them by Equifax, specifying what data was exactly accessed. Additionally, individuals should regularly check their credit statements in order to identify potential malicious activity.
Tags: Data breach, Data theft, Equifax

Watch Out for These High-Pressure Apple Malware Scams (October 11, 2017)
A new scam campaign has been found to be targeting Apple product users, according to Sophos researchers. The actors are using scare-tactics by impersonating the Apple support and stealing the company’s images to use in support scams. The alerts present to Mac users purport that the machine has been infected various forms of malware, or contains critical vulnerabilities. If a user proceeds with the directions in the “security alert,” they will be asked to install a third-party software to “fix” the issues. Researchers also note that they identified a fake Adobe Flash Player updated being used by threat actors in this round of Apple scams.
Recommendation: Technical support scams are common threats facing individuals and companies alike. Any image that appears that requests a phone number be called in order to receive assistance in repairing a machine is likely fake. Often times there are research blogs that provide instructions to remove malware related to these type of scams from an infected machine. Policies should also be in place to educate your employees on the proper steps to avoid these scams, and who to inform if such an instance occurs.
Tags: Security/Support scam, Apple

Microsoft Patches Windows Zero-Day Flaws Tied to DNSSEC (October 10, 2017)
Microsoft’s Patch Tuesday has issued security updates that address a zero-day vulnerability in the Windows DNS client. Specifically, the Windows DNS client in Windows version 8 and 10, as well as Windows Server 2012 and 2016. The heap buffer overflow vulnerabilities, registered as “CVE-2017-11779,” were identified in one of the data record features used in the secure Domain Name System (DNSSEC). If a threat actor exploits this vulnerability, it could allow her/him to take full control of the affected machine without the need for any user interaction.
Recommendation: Your company should regularly check the software you use in everyday business practices to ensure that everything is always up-to-date with the latest security features. Using the automatic update feature in Windows operating systems is a good mediation step to ensure that your company is always using the most recent version.
Tags: Vulnerability, Zero day, Microsoft

ATMii: A Small but Effective ATM Robber (October 10, 2017)
Kaspersky Labs researchers have released information on a new ATM malware, dubbed “ATMii,” that was discovered in April 2017. To compromise an ATM, an actor will first need physical access to the machine such as USB drive, or direct access to the machine over its network. The objective of ATMii is to force the ATM to dispense all of the cash it holds. The malware targets a proprietary ATM software process to inject malicious code into it, thus loading a malicious DLL file. The DLL file listens for commands, including a dispense command to dispense currency.
Recommendation: ATM security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed Ploutus infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the ATM should occur along with a formal incident response investigation.
Tags: Malware, ATMii

OilRig Group Steps Up Attacks with New Deliver Documents and new Injector Trojan (October 9, 2017)
Unit 42 researchers have published their findings on a new spear phishing campaign that is being conducted by the threat group “OilRig.” Researchers discovered in July 2017 that the group was using a custom tool called “ISMAgent” in a new campaign of targeted attacks. By August 2017, OilRig began distributing a new trojan called “Agent Injector” that is used to install the ISMAgent backdoor, dubbed “ISMInjector.” The malware is distributed via spear phishing emails that contain attachments with malicious macros.
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management.
Tags: Threat group,OilRig, Phishing, Malware

Malvertising Group Spreading Kovter Malware via Fake Browser Updates (October 9, 2017)
The threat group behind the Kovter malware family, “KovterCoreG,” has been observed to be conducting a large-scale malvertising campaign, according to Proofpoint researchers. KovCoreG is using fake Adobe Flash and web browser updates to trick users into installing the Kovter malware; Kovter is capable of downloading other forms of malware such as infostealers and ransomware. The campaign focused on Australian, Canadian, U.K., and U.S. visitors to an adult website, and distributed malvertisements via “Traffic Junky,” both companies have since removed the malvertisements. Researchers note that they expect new malvertisements to be distributed to users on other online locations.
Recommendation: Users should be cautious when clicking on advertisements because as this story portrays, malicious advertisements can sometimes appear on legitimate online locations. If the advertised product is appealing, it would be safer to search for the product on the authentic website of the company who is selling the product, or other trusted online shopping locations.
Tags: Malvertising, Threat group, KoveterCoreG, Malware, Kovter

Formbook Malware Targets U.S. Defense Contractors Aerospace and Manufacturing Sectors (October 9, 2017)
FireEye researchers have identified a new malware called “FormBook” that is used in targeted attacks by unknown threat actors. The actors are targeting aerospace firms, defense contractors, and manufacturing organizations located in the U.S. and South Korea. The data-stealing malware is being distributed via phishing emails that contain malicious DOC, PDF, or XLS attachments. FormBook is capable of multiple forms of malicious activity including: extracting data from HTTP sessions, keylogging, and stealing clipboard contents. Additionally, FormBook can execute commands from a Command and Control (C2) server such as downloading files, and starting processes, among others.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox.
Tags: Phishing, Malware, Formbook


Source: Honeypot Tech

KRACK (Key Reinstallation Attack) for WPA and WPA2 Vulnerabilities Update

[Editor’s note: Article updated on 10/20/2017 with additional information about KRACK mitigation options from WatchGuard.]

On October 16, 2017, a statement from the International Consortium for Advancement of Cybersecurity on the Internet (ICASI) alerted the industry to a series of vulnerabilities for WPA and WPA2, named KRACK (Key Reinstallation Attack). These vulnerabilities affect a large number of wireless infrastructure devices and wireless clients, across many vendors. This security flaw means that, for vulnerable clients and access points, WPA and WPA2-encrypted Wi-Fi traffic is no longer secure until certain steps are taken to remediate the issue. The Wi-Fi data stream, including passwords and personal data, can be intercepted, decrypted, and modified without a user’s knowledge. WatchGuard’s Wi-Fi access points (APs) and Wi-Fi enabled appliances are affected by these vulnerabilities. Following is detailed information about the vulnerabilities, which WatchGuard products are affected, and timing for patches. WatchGuard understands that in many cases, it’s difficult, if not impossible to patch all client devices. For example, IoT devices where vendors may be slow, out of business, or unwilling to patch older product versions, leaving many clients vulnerable indefinitely. See below for details on how WatchGuard Wi-Fi technology can mitigate KRACK for vulnerable clients and details are addressed below.

Who is affected by these vulnerabilities?
The vulnerability is widespread. Review the ICASI statement additional information and CVEs. Organizations that use wireless access points (APs) relying on WPA or WPA2 encryption, and mobile users who connect to Wi-Fi networks with smartphones, tablets, laptops, and other devices, should implement the necessary patches applicable to these vulnerabilities.

How many/what type of vulnerabilities are there?
Refer to the ICASI list of vulnerabilities and Common Vulnerability and Exposure (CVE) identifiers here.

How do the KRACK (Key Reinstallation Attack) for WPA and WPA2 vulnerabilities work?
A malicious user could inject specially-crafted packets into the middle of the WPA/WPA2 authentication handshake, forcing installation of a key known to—or controlled by—the attacker. This results in the possibility of decrypting and/or modifying client traffic. Traffic already protected by a higher-level encryption protocol, such as HTTPS, VPNs, or application encryption would not be impacted.

Depending on the specific device configuration, successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network. This is accomplished by manipulating retransmissions of handshake messages.

When an adversary manipulates certain handshake messages over the air, the exploit results in reuse of some packet numbers when handshakes are performed. The reuse of packet numbers violates the fundamental principle on which the strength of WPA2 encryption and replay security is based. The principle is that for a given key hierarchy, PTK, GTK and IGTK, packet numbers in two original (non-retransmits) packet transmissions protected by them cannot be repeated. For packet pairs where this assumption is violated, it is possible to determine the content of one packet if the plaintext of the other packet is known or can be guessed. Packet number can also permit adversary to replay old packets to the receiver.

Which WatchGuard products were affected?

  • Access Points: AP100, AP102, AP120, AP200, AP300, AP320, AP322, AP420
  • Appliances: XTM 25-W, 26-W, 33-W; Firebox T10-W, T30-W, T50-W

 

How can WatchGuard partners and customers access patches / updates that address these vulnerabilities?
Patches will be available for Fireware, WatchGuard legacy and current APs, and for WatchGuard Wi-Fi Cloud via the following releases and estimated timing (subject to changes, monitor this blog for patch updates):

Sunday, October 15, 2017:

  • AP120, 320, 322, 420:  Release 8.3.0-657, Cloud mode only

 

Monday, October 30, 2017:

  • Fireware: Release 12.0.1
  • Legacy AP:
    • AP300: Release 2.0.0.9
    • AP100, 102, 200: Release 1.2.9.14
  • AP120, 320, 322, 420:  Release 8.3.0-657, Non-Cloud (GWC mode)

 

Q: Is there a method to protect unpatched client devices?
A: WatchGuard is providing patches for all of our affected products and also recommends patching all non-WatchGuard Wi-Fi enabled devices whenever possible.  To protect unpatched client devices, WatchGuard provides two methods of protection:

  1. An option to “Mitigate WPA/WPA2 key reinstallation vulnerability in clients” is available now in the Wi-Fi Cloud, and available October 30, 2017 in Fireware version  12.0.1 in the Gateway Wireless Controller (GWC) settings [available for AP120, AP320, AP322, and AP420 version 8.3.0-657].
  2. AP MAC spoofing prevention is available now in the Wi-Fi Cloud when dedicated WIPS sensors are deployed (not background scanning)

 

Read more about protecting Wi-Fi devices from KRACK this blog post, and in the WatchGuard Knowledge Base.

Have any of WatchGuard’s customers or partners been negatively impacted by these vulnerabilities?
No, we are not aware of any WatchGuard customers or partners who have been negatively impacted by these vulnerabilities.

What is WPA2?
WPA2 (802.11i) is currently the standard for link layer security in Wi-Fi networks. It uses either 802.1x (EAP) or shared key (PSK) based authentication. In 802.1x, the client is authenticated from a backend RADIUS server when setting up a wireless connection. During the authentication process, the client and the RADIUS server generate a common key called Pairwise Master Key (PMK). The PMK is sent from the RADIUS server to the AP over a secure wired network. In PSK, the PMK is statically installed in the client and the AP by entering the same passphrase (password) on both sides. The PMK is then used to generate a hierarchy of keys to be used for encryption and integrity protection for data sent over wireless link between the AP and the client.

The protocol to generate the key hierarchy from PMK is called an EAPOL 4-Way Handshake. It is used to derive the following keys:

  • Pairwise Transient Key (PTK), used to encrypt unicast communication between AP and client. PTK is derived and installed by the AP and the client at the time of setting up a wireless connection. It is refreshed during the connection after pre-configured time has passed. It is also refreshed when client roams between APs using fast transition (FT) protocol.
  • Group Transient Key (GTK), used for encrypting broadcast and multicast messages from APs to clients. A GTK is generated and maintained by the AP. It is securely delivered by the AP to the client at the time of setting up a wireless connection.
  • Integrity Group Transient Key (IGTK), used for providing integrity for broadcast and multicast management messages (called management frame protection or MFP) transmitted from the AP to the client. IGTK is generated and maintained by the AP. It is securely delivered by the AP to the client at the time of setting up a wireless connection.

 

The keys (GTK and IGTK) are refreshed when a client leaves the AP and the new keys are distributed to all remaining clients using a protocol called Group Key Handshake.

What is WPA?
Wi-Fi Protected Access (WPA) is a security protocol and security certification system developed by the Wi-Fi Alliance in response to weaknesses found in the previous system, Wired Equivalent Privacy (WEP). This was an intermediate measure taken in anticipation of the availability of the more complex and secure WPA2. WPA is obsolete and insecure, and WatchGuard recommends that all customers use WPA2, and not WPA.


Source: WatchGuard