Hot!WPA2 security issue "KRACK"

Author
bommi
Silver Member
  • Total Posts : 77
  • Scores: 8
  • Reward points: 0
  • Joined: 2016/08/03 03:42:49
  • Location: Germany
  • Status: offline
2017/10/16 02:16:08 (permalink)
0

WPA2 security issue "KRACK"

Hi,
 
are you aware of the latest security issue with wpa2 called "KRACK":
https://www.theregister.co.uk/2017/10/16/wpa2_inscure_krackattack/
 
At least Aruba and Ubiquiti already have some patch for this issue, what about Fortinet?
Is this relevant for FortiAP and also FortiWifi?
 
Regards
Dominik
#1

15 Replies Related Threads

    Maik
    Gold Member
    • Total Posts : 280
    • Scores: 10
    • Reward points: 0
    • Joined: 2008/04/24 04:38:38
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/16 02:35:49 (permalink)
    0
    From the Release notes:
    FortiAP 5.6.1 is no longer vulnerable to the following CVE Reference:
     CVE-2016-7406
     CVE-2016-7407
     CVE-2016-7408
     CVE-2016-7409
     CVE-2016-10229
     CVE-2017-13077
     CVE-2017-13078
     CVE-2017-13079
     CVE-2017-13080
     CVE-2017-13081
     CVE-2017-13082
    #2
    Kommissar
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/10/16 02:49:44
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/16 05:19:06 (permalink)
    0
    What about the 5.4.x branch?
    #3
    ronalds_567
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/10/25 14:05:10
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/16 06:56:50 (permalink)
    0
    Hi
    How about these CVEs?
    CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088
     
    #4
    itsupport@geddesfederal.com
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/11/29 13:04:14
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/16 08:21:13 (permalink)
    0
    We are also waiting for this updated firmware for a 221B!
     
    The vulnerability indicates it is a WPA2 general vulnerability affecting the reuse of the nonce on one side of the session key exchange so it should affect any WPA2 implementation, does that sound correct?
    #5
    CyberNorris
    Silver Member
    • Total Posts : 67
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/09/15 08:44:40
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/16 08:53:25 (permalink)
    0
    As previously mentioned FortiAP 5.6.1 is no longer vulnerable to over half of the Krack CVEs.
     
    Latest 5.4.x branch for FortiAP is 5.4.3 (release notes dated 21JUN17) and FortiAP-S and FortiAP-W2 5.4.4 (release notes dated 11JUL17). Neither mentions any of the Krack CVE numbers.
     
    Be on the lookout for firmware updates. I post them usually pretty quickly on Twitter @FortinetGuide
     

    Norris Carden
    Fortinet XTreme Team USA (2015, 2016)
    CISSP (2005), CISA (2007), NSE4 (2016)
    #6
    bommi
    Silver Member
    • Total Posts : 77
    • Scores: 8
    • Reward points: 0
    • Joined: 2016/08/03 03:42:49
    • Location: Germany
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/16 11:24:15 (permalink)
    0
    There is now an official Advisory on this issue:
     
    http://fortiguard.com/psirt/FG-IR-17-196
    #7
    CyberNorris
    Silver Member
    • Total Posts : 67
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/09/15 08:44:40
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/16 15:40:32 (permalink)
    0
    itsupport@geddesfederal.com
    We are also waiting for this updated firmware for a 221B! 
    The vulnerability indicates it is a WPA2 general vulnerability affecting the reuse of the nonce on one side of the session key exchange so it should affect any WPA2 implementation, does that sound correct?

     
    Yes, it is a general WPA2 vulnerability affecting everything from home routers to top commercial systems. If your FAP 221B is likely managed by a FortiGate, FortiOS needs updated firmware as well as the AP firmware.
     
    Fortinet released a PSIRT around lunch time today on the issue and announced firmware versions pending release. So stay tuned.
     
    Good catch, @bommi
    bommi
    There is now an official Advisory on this issue:
    http://fortiguard.com/psirt/FG-IR-17-196



    Find Fortinet firmware update notifications on Twitter @FortinetGuide

    Norris Carden
    Fortinet XTreme Team USA (2015, 2016)
    CISSP (2005), CISA (2007), NSE4 (2016)
    #8
    Matthijs
    Gold Member
    • Total Posts : 342
    • Scores: 15
    • Reward points: 0
    • Joined: 2010/05/26 04:58:32
    • Location: Aalsmeer, The Netherlands
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/17 02:07:37 (permalink)
    0
    Can you please also clarify this one:
     

    For FortiAP:
    Only affect FortiAP which is working as a mesh leaf.


    --------------
    FCNSA
    FCNSP
    FCESP
    #9
    CyberNorris
    Silver Member
    • Total Posts : 67
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/09/15 08:44:40
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/17 07:07:44 (permalink)
    0
    Matthijs
    Can you please also clarify this one:
     

    For FortiAP:
    Only affect FortiAP which is working as a mesh leaf.





    A mesh network is where you use multiple APs to extend the network ... so AP2 (and its clients) are connected to the rest of the network by connecting to AP1.
     
    Here's a Cookbook article on it: http://cookbook.fortinet....ge-with-mesh-topology/

    Norris Carden
    Fortinet XTreme Team USA (2015, 2016)
    CISSP (2005), CISA (2007), NSE4 (2016)
    #10
    Milaan
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/04/27 03:46:09
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/17 07:14:50 (permalink)
    0
    As far as i understood the Advisory only FortiWiFi Models are affected and FortiAP's Operating as Mesh/Leaf?
     
    Since we use a FortiGate and FortiAP NOT in Mesh/Leaf Mode, we are not affected, right?
    #11
    cdneufeld
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/10/16 12:07:04
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/17 07:19:17 (permalink)
    0
    I haven't seen anything about the FortiWLC and updates on that front yet. Has anyone else?
    #12
    CyberNorris
    Silver Member
    • Total Posts : 67
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/09/15 08:44:40
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/17 08:47:03 (permalink)
    0
    As I read the PSIRT Advisory, only a FortiAP used in mesh leaf mode... and FortiWifi models being used in client mode (meaning the AP in the FortiGate is a WiFi client of another AP... acting like a mesh leaf).
     
    I've seen nothing on FortiWLC. Considering any AP on a FortiWLC is a FortiAP, it seems all is good... but again, no confirmation on that. The PSIRT should have included FortiWLC if there was an issue.
     
    I'll try to get more details from inside sources.
    post edited by CyberNorris - 2017/10/17 08:50:29

    Norris Carden
    Fortinet XTreme Team USA (2015, 2016)
    CISSP (2005), CISA (2007), NSE4 (2016)
    #13
    andresp
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/10/16 12:05:57
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/17 09:03:07 (permalink)
    0
    How about Meru Networks APs/WLC?
     
    We are an old Meru Network shop using AP 832i, some Meru Controllers (MC1550) and some Forti Controllers (500D) running FortiWLC images (knows as System Director).
     
    Has anyone heard anything from these yet?
     
    Thanks,
    post edited by andresp - 2017/10/17 09:04:44
    #14
    Selective
    Expert Member
    • Total Posts : 2714
    • Scores: 104
    • Reward points: 0
    • Joined: 2007/07/03 10:44:56
    • Location: Gothenburg - Sweden
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/17 11:26:55 (permalink)
    0
    no nothing yet,
     
    I have a ticket open about FortiWLC and AP832, the ticket is in "researching".
    We just bought a couple of controllers and 80 AP832i´s.
    I will post here when I receive feedback.
    #15
    andresp
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/10/16 12:05:57
    • Status: offline
    Re: WPA2 security issue "KRACK" 2017/10/17 12:00:54 (permalink)
    0
    I am ok in my side. See below response from Fortinet for Legacy Meru devices:
     
    How is Fortinet Controller based solution affected with CVEs disclosed in KRACK attacks:
    Our primary enterprise solution uses single channel and virtual cell architecture, and is not affected by the CVEs part of KRACK attacks.
     
    The only configuration affected are the following:
    Feature
    (1) Non virtual cell configuration with 11r enabled
    (2) APs operating in Mesh mode
    (3) APs having Service assurance module enabled

    Applicable SD versions
    (1) 8.0/8.1/8.2/8.3, and only with 11ac and wave2 APs
    (2) 6.x/7.0/8.0/8.1/8.2/8.3
    (3) 6.x/7.0/8.0/8.1/8.2/8.3

    Immediate recommendation
    (1) Disable 11r
    (2,3) Disable SAM, until patch available
     
    Patches to be made available on top of SD versions
    (1) 8.3.3, 8.2.7
    (2) 8.3.3, 8.2.7, 7.0.11
    (3) 8.3.3, 8.2.7, 7.0.11
     
    #16
    Jump to:
    © 2017 APG vNext Commercial Version 5.5