Author Topic: KRACK Attack Summary  (Read 368 times)

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Posts: 7404
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
KRACK Attack Summary
« on: October 16, 2017, 08:25:47 AM »
https://www.krackattacks.com/

In short, this is an attack that requires proximity to the victim device for resending packet 3 of the WPA2 handshake. Updates to WLCs may help, more important to update the client to where it does not accept multiple packet 3 transmissions.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

Otanx

  • advipservicesk9
  • ****
  • Posts: 1643
  • Country: us
  • Rep: 8
    • View Profile
  • Certifications: CCNP
Re: KRACK Attack Summary
« Reply #1 on: October 16, 2017, 09:57:49 AM »
Mostly a client patch thing. However, there have been more vulnerabilities found using similar techniques on other parts of the wifi handshakes that may require AP patching.

-Otanx

vinceneil666

  • Bit
  • *
  • Posts: 1
  • Country: no
  • Rep: 0
    • View Profile
  • Certifications: cisco, checkpoint, fortigate
Re: KRACK Attack Summary
« Reply #2 on: October 17, 2017, 04:37:39 AM »
From what I understand there is a bit of confusin as to the Cisco WLC's. They have stated a fix has been relesed (8.3.130) 16 oct 2017, but as for the WLC the software is from 27 sept 2017. Now I have been told that someone somewhere, has heard, from someone, that a new fix for WLC is to be released by then end of this week. If anyone has any more info on this- I would be greatfull :)

ristau5741

  • Administrator
  • OC-1920
  • *****
  • Posts: 12008
  • Country: us
  • Rep: 13
    • View Profile
  • Certifications: Instanity
Re: KRACK Attack Summary
« Reply #3 on: October 17, 2017, 06:02:04 AM »
From what I understand there is a bit of confusin as to the Cisco WLC's. They have stated a fix has been relesed (8.3.130) 16 oct 2017, but as for the WLC the software is from 27 sept 2017. Now I have been told that someone somewhere, has heard, from someone, that a new fix for WLC is to be released by then end of this week. If anyone has any more info on this- I would be greatfull :)

probley all the information you need, except the fixed release date.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
:professorcat:

Good, Fast, or Cheap, you can only select 2 of the 3.

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Posts: 7404
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: KRACK Attack Summary
« Reply #4 on: October 17, 2017, 10:24:02 AM »
Updates on vendor patches, looks like Windows has already been patched, so yay! https://www.peerlyst.com/posts/the-wpa2-krack-aftermath-what-s-up-with-patches-kimberly-crawley
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

Otanx

  • advipservicesk9
  • ****
  • Posts: 1643
  • Country: us
  • Rep: 8
    • View Profile
  • Certifications: CCNP
Re: KRACK Attack Summary
« Reply #5 on: October 18, 2017, 09:58:10 AM »
The vulnerability release was actually done pretty well. The vendors were given heads up a little while ago and the day of the public announcement most vendors had patches ready to go either Monday or are expected pretty soon.

-Otanx

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Posts: 7404
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: KRACK Attack Summary
« Reply #6 on: October 18, 2017, 10:40:55 AM »
I'm now getting my home CounterACT NAC set up to check my Windows devices for compliance and if non-compliant devices are also on wireless.

Found one box that hasn't been updated since October... 2016... it's on the LAN now, running WSUS offline updates.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Posts: 7404
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: KRACK Attack Summary
« Reply #7 on: October 18, 2017, 11:55:57 AM »
Have your patch management system check Windows devices for updates relevant to KBs 4041691, 4042895, 4041676, and 4041681.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

mlan

  • Access Port
  • *
  • Posts: 64
  • Country: us
  • Rep: 1
    • View Profile
Re: KRACK Attack Summary
« Reply #8 on: October 20, 2017, 03:39:10 PM »
I have heard from our Cisco SE that is only affects the WLC if you have 802.11r enabled (aka "Fast Transition").

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Posts: 7404
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: KRACK Attack Summary
« Reply #9 on: October 20, 2017, 06:23:58 PM »
I have heard from our Cisco SE that is only affects the WLC if you have 802.11r enabled (aka "Fast Transition").
This is correct. We have an advisory that recommends shutting that feature off, along with making sure Windows devices have the 10 Oct 2017 security patches.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

wintermute000

  • Senior Engineer
  • ****
  • Posts: 2371
  • Rep: 25
    • View Profile
  • Certifications: Alphabets
Re: KRACK Attack Summary
« Reply #10 on: October 21, 2017, 02:52:57 AM »
Er doesn't the patching fix the FT issue.

Because FT is critical for fast roaming (i.e. aka change the WAP without dropping a VOIP call) last time I checked. Surely this doesn't have to be flat out disabled if you're patched.


Put it his way, I haven't yet seen a single WLAN requirements specification that DOESN'T have fast roaming as a mandatory


OTOH I'm no WLAN specialist and I can't speak with authority on OKC vs PKC vs 802.11r and under what circumstances/what client/what OS which method is better (or worse) so if a WLAN guy wants to butt in, more than welcome. My hazy understanding is that 802.11r is the way forwards?
« Last Edit: October 21, 2017, 03:01:53 AM by wintermute000 »

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Posts: 7404
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: KRACK Attack Summary
« Reply #11 on: October 21, 2017, 08:34:04 AM »
Er doesn't the patching fix the FT issue.

Because FT is critical for fast roaming (i.e. aka change the WAP without dropping a VOIP call) last time I checked. Surely this doesn't have to be flat out disabled if you're patched.


Put it his way, I haven't yet seen a single WLAN requirements specification that DOESN'T have fast roaming as a mandatory


OTOH I'm no WLAN specialist and I can't speak with authority on OKC vs PKC vs 802.11r and under what circumstances/what client/what OS which method is better (or worse) so if a WLAN guy wants to butt in, more than welcome. My hazy understanding is that 802.11r is the way forwards?

You're absolutely correct in that before the cayenne pepper hit the fan, 802.11r was what all the cool kids had activated on their wireless networks. Every article about 802.11r before October 2017 talked about how awesome it is. Well, I hate to break it to you, Morty, but...

:rick:

... sometimes all that cool convenience and speed is just a greeting card inviting in some really baaaaad stuff. I'm a security guy, so I'm used to telling people to use the breaks and then shaking my head when they lose control at 127 mph after ignoring my advice. Yeah, I'm looking at you, Jerry...

Good news here is that it's only the unpatched endpoint that's vulnerable. Bad news is that an unpatched AP is still an endpoint.

We didn't really see the 802.11r thing as being a vulnerability because we assumed that the WPA2 it was riding on was rock solid. Now that that assumption is shown to be false because of a "Nobody will ever do THAT" implementation, we need to apply the "Holy crap, they ARE doing THAT" patch and then we're back to the Fast Transition party like nothing happened.

While this is an important thing to patch everything in the world for, the fact remains that all those IoT devices on the network that belong to vendors that don't exist anymore... yeah, THOSE devices... well, they're unpatched. Either firewall them, ACL them, or rip them out and replace them with non-Internet versions that don't create holes in your security.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!