Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

WPA2 has been cracked

How do I tell if my routers firmware update has the fix?

 

I have a D-Link DIR-890L running as my AP

if you want to annoy me, then join my teamspeak server ts.benja.cc

Link to post
Share on other sites
4 minutes ago, LAwLz said:

That was me. I can not for the life of me find change logs for previous releases. Change logs for firmware updates that are pending? Easy to find. Change logs for firmware I already have installed? More well hidden than the aliens at area 51.

 

 

I’m thinking they may have patched it very discretely as the patch notes are quite vague. 

 

If you go into the firmware upgrade area, select “schedule upgrade” and click on the version number, it’ll present a screen where you can browse through all current and past change log notes. 

Link to post
Share on other sites
19 minutes ago, LAwLz said:

WPA Enterprise is vulnerable, but it depends on the client OS and patch status.

This is however one of the very clear down sides to BYOD actually showing it's face. If it can't be mitigated by updates to AP and controllers alone it's a rather problematic issue.

 

We provide multiple different wireless networks with varying degrees of network access and controls, which can be easily defeated by a staff member using a personal device connecting to 'Staff Private Equipment' then signing in to something like the HR portal while their network traffic is compromised.

 

Depending on the type of business the impact could be not too bad to rather big, where I am where we are a university this is on the very upper end of 'Pray for AP patching alone to be enough'.

 

Edit:

Just in case people haven't realized this yet secure application connections will still be secure, but every internal website and application is using SSL/SSH/Kerberos right? ;)

Link to post
Share on other sites

Welp, gonna go look into this. I think I have WPA2-AES set up on my Asus AC68u router, but looks like reading through the thread the AES or TKIP encryption part isn't the issue :/ 

"Put as much effort into your question as you'd expect someone to give in an answer"- @Princess Luna

Make sure to Quote posts or tag the person with @[username] so they know you responded to them!

Purple Build Post ---  Blue Build Post --- Blue Build Post 2018

RGB Build Post 2019 --- Rainbow 🦆 2020 --- Project ITNOS --- P600S VS Define R6/S2

CPU i7-4790k    Motherboard Gigabyte Z97N-WIFI    RAM G.Skill Sniper DDR3 1866mhz    GPU EVGA GTX1080Ti FTW3    Case Corsair 380T   

Storage Samsung EVO 250GB, Samsung EVO 1TB, WD Black 3TB, WD Black 5TB    PSU Corsair CX550M    Cooling Cryorig H7 with NF-A12x25

Link to post
Share on other sites

If you checked your router's change logs prior to 2 hours ago, go check them again. Due to the embargo vendors weren't allowed to release anything about the vulnerabilities. For example, Ubiquiti released a firmware update yesterday but the change logs made no mention of it until 2 hours ago when they edited the change logs to specifically include the KRACK details.

 

Also, if your router/client is OpenBSD based they pushed out a silent patch a few months ago. I know that pfSense is/was based on FreeBSD so I don't know if they got a silent patch yet or not.

All aboard the Floatplane!

 

Gaming PC: AMD Ryzen 7 1700 | AMD Wraith Stealth | ASRock Fatal1ty AB350 Gaming-ITX/ac | G.Skill Flare X 32GB (16GBx2) | NVIDIA GTX 1080 8GB FE | Fractal Design Node 202 | Samsung 860 EVO 1TB M.2 SSD

Streaming PC: AMD Ryzen 7 1700 | AMD Wraith Stealth | ASRock Fatal1ty AB350 Gaming-ITX/ac | G.Skill Aegis X 8GB (4GBx2) | ASRock Phantom Gaming Radeon RX 550 | Fractal Design Node 202 | Mushkin Enhanced Source 500GB M.2 SSD

 

Daily Driver: ODroid H2 | Intel Celeron J4105 | G.SKILL Ripjaws 16GB (8GBx2) | HardKernel Type 2 Case | Intel SSD 600p 128GB NVMe SSD

Link to post
Share on other sites
28 minutes ago, Windspeed36 said:

I’m thinking they may have patched it very discretely as the patch notes are quite vague. 

 

If you go into the firmware upgrade area, select “schedule upgrade” and click on the version number, it’ll present a screen where you can browse through all current and past change log notes. 

Finally found it. I was looking under the network-wide tab and not the organization tab.

 

According to Meraki support KRACK has been fixed in version 24.11 (latest stable release).

They also recommend disabling 802.11r on all SSIDs but I have not looked into it enough to understand why that would be an issue.

 

 

29 minutes ago, leadeater said:

This is however one of the very clear down sides to BYOD actually showing it's face. If it can't be mitigated by updates to AP and controllers alone it's a rather problematic issue.

 

We provide multiple different wireless networks with varying degrees of network access and controls, which can be easily defeated by a staff member using a personal device connecting to 'Staff Private Equipment' then signing in to something like the HR portal while their network traffic is compromised.

 

Depending on the type of business the impact could be not too bad to rather big, where I am where we are a university this is on the very upper end of 'Pray for AP patching alone to be enough'.

It sounds to me like an update to the APs will be enough, but i haven't looked into it enough to say for sure yet.

Let's hope that is the case. Wireless vendors have been very quick with updating their stuff though, and I don't see a reason why they would fix anything if it was purely a client issue.

Link to post
Share on other sites
4 minutes ago, LAwLz said:

They also recommend disabling 802.11r on all SSIDs but I have not looked into it enough to understand why that would be an issue.

Kinda sucks since that is designed for proper and reliable client roaming, should get fixed though.

 

Quote

IEEE 802.11r-2008 or fast BSS transition (FT), also called "fast roaming," is an amendment to the IEEE 802.11 standard to permit continuous connectivity aboard wireless devices in motion, with fast and secure handoffs from one base station to another managed in a seamless manner.

I wonder if this actually introduced an attack vector.

Link to post
Share on other sites
2 hours ago, LAwLz said:

2) It can be patched either at the client or the access point (good news)

3) The patch is backwards compatible, which means that there will be no issues with a patched client talking to an unpatched AP, or vice versa.

 

 

TL;DR:
Update your clients and access points and you will be fine.

I can expect all of my clients to receive a patch however my router's last firmware update was in 2016... (Thanks Belkin, but that's what I get for not looking for one with community support in the custom firmware department.)

So can I expect my current clients to be safe if they have the patch but the router doesn't, or is this where both sides need to be patched?

Behold my signature!

Spoiler

Quick Links

Specs

Spoiler

Desktop:

CPU: R5 3600

GPU: RX 480

RAM: 32GB DDR4 3200Mhz CL16

Storage: 256GB SSD (2.5in SATA), 1TB SSD (m.2 SATA), 1TB HDD (3.5in 7200RPM)

Motherboard: Asus B450-F

Case: Corsair 570x

PSU: SeaSonic G-550 (Efficiency ftw I guess)

Notes: Powered by Tumbleweed and a Intel AX200 wNIC

 

Laptop:

CPU: i7-8750HQ

GPU: GTX 1050 Ti 4GB

RAM: 32GB DDR4 2666Mhz CL15 (Dual Channel/SoDIMMs)

Storage: 256GB SSD (m.2 SATA), 2TB SSHD (2.5in 5400RPM + 8GB Cache)

Notes: Dell G5 15 5590 powered by Tumbleweed and a Intel 9560 wNIC

 

Other Equipment:

Router: Synology RT2600ac

Consoles: Xbox One S (8TB external drive), Nintendo Switch (128GB microSD card)

Phone: Essential Phone (PH-1, LineageOS 17.1)

Headphones: Monoprice Retros

Keyboard and Mouse: Logitech G610 (White Backlight & Brown Switches) and MX Master 2s

Nextcloud Server: Intel Atom x5-Z8350 + 2GBs DDR4 + 1TB HDD

Brought to you by your local Tumbleweed user

Signature v0.33qr

Link to post
Share on other sites

Is their a list of Patched Routers/APs?

I am unable to find anything for my D-Link DIR-890L in its latest update patch notes.

if you want to annoy me, then join my teamspeak server ts.benja.cc

Link to post
Share on other sites

99% of routers won't have any firmware updates to fix this. Only the really popular ones might.

Intel Xeon E5 1650 v3 @ 3.5GHz 6C:12T / CM212 Evo / Asus X99 Deluxe / 16GB (4x4GB) DDR4 3000 Trident-Z / Samsung 850 Pro 256GB / Intel 335 240GB / WD Red 2 & 3TB / Antec 850w / RTX 2070 / Win10 Pro x64

HP Envy X360 15: Intel Core i5 8250U @ 1.6GHz 4C:8T / 8GB DDR4 / Intel UHD620 + Nvidia GeForce MX150 4GB / Intel 120GB SSD / Win10 Pro x64

 

HP Envy x360 BP series Intel 8th gen

AMD ThreadRipper 2!

5820K & 6800K 3-way SLI mobo support list

 

Link to post
Share on other sites
19 minutes ago, tjcater said:

So can I expect my current clients to be safe if they have the patch but the router doesn't, or is this where both sides need to be patched?

From my understanding (I can't stress it enough that I have not looked into this very much) you will be safe if either the AP or the client (or preferably both) are patched. So a patched client connected to an unpatched AP will be safe, and an unpatched client connected to a patched AP will be safe (I've only spent like 5 minutes reading this so I might be wrong).

Link to post
Share on other sites
Just now, LAwLz said:

From my understanding (I can't stress it enough that I have not looked into this very much) you will be safe if either the AP or the client (or preferably both) are patched. So a patched client connected to an unpatched AP will be safe, and an unpatched client connected to a patched AP will be safe (I've only spent like 5 minutes reading this so I might be wrong).

Well if this is true, then I will have nothing to worry about with this exploit. (I should still consider a new router but that's for another day)

Behold my signature!

Spoiler

Quick Links

Specs

Spoiler

Desktop:

CPU: R5 3600

GPU: RX 480

RAM: 32GB DDR4 3200Mhz CL16

Storage: 256GB SSD (2.5in SATA), 1TB SSD (m.2 SATA), 1TB HDD (3.5in 7200RPM)

Motherboard: Asus B450-F

Case: Corsair 570x

PSU: SeaSonic G-550 (Efficiency ftw I guess)

Notes: Powered by Tumbleweed and a Intel AX200 wNIC

 

Laptop:

CPU: i7-8750HQ

GPU: GTX 1050 Ti 4GB

RAM: 32GB DDR4 2666Mhz CL15 (Dual Channel/SoDIMMs)

Storage: 256GB SSD (m.2 SATA), 2TB SSHD (2.5in 5400RPM + 8GB Cache)

Notes: Dell G5 15 5590 powered by Tumbleweed and a Intel 9560 wNIC

 

Other Equipment:

Router: Synology RT2600ac

Consoles: Xbox One S (8TB external drive), Nintendo Switch (128GB microSD card)

Phone: Essential Phone (PH-1, LineageOS 17.1)

Headphones: Monoprice Retros

Keyboard and Mouse: Logitech G610 (White Backlight & Brown Switches) and MX Master 2s

Nextcloud Server: Intel Atom x5-Z8350 + 2GBs DDR4 + 1TB HDD

Brought to you by your local Tumbleweed user

Signature v0.33qr

Link to post
Share on other sites
2 minutes ago, NumLock21 said:

99% of routers won't have any firmware updates to fix this. Only the really popular ones might.

To be fair to router manufacturers, D-Link provided a firmware update to their ancient DIR-655 routers a few months back to fix a couple exploits in their web interface, and that's D-Link of all companies.

 

Considering how big of an issue knack could be if left unpatched, it's quite likely we could see companies provide patches back to some earlier models.

 

I'm worried it's going to be a bigger issue for *nix based devices like the onhub, Google WiFi, and WRT which are all using WPA_Supplicant and are vulnerable to the more dangerous form of this vulnerability. Kind of worried they'll likely just wait for it to get fixed upstream, which could take a while.

Link to post
Share on other sites
5 minutes ago, Sniperfox47 said:

To be fair to router manufacturers, D-Link provided a firmware update to their ancient DIR-655 routers a few months back to fix a couple exploits in their web interface, and that's D-Link of all companies.

 

Considering how big of an issue knack could be if left unpatched, it's quite likely we could see companies provide patches back to some earlier models.

 

I'm worried it's going to be a bigger issue for *nix based devices like the onhub, Google WiFi, and WRT which are all using WPA_Supplicant and are vulnerable to the more dangerous form of this vulnerability. Kind of worried they'll likely just wait for it to get fixed upstream, which could take a while.

Dir655 is a popular one. If you look at linksys e900, it has none. 

Intel Xeon E5 1650 v3 @ 3.5GHz 6C:12T / CM212 Evo / Asus X99 Deluxe / 16GB (4x4GB) DDR4 3000 Trident-Z / Samsung 850 Pro 256GB / Intel 335 240GB / WD Red 2 & 3TB / Antec 850w / RTX 2070 / Win10 Pro x64

HP Envy X360 15: Intel Core i5 8250U @ 1.6GHz 4C:8T / 8GB DDR4 / Intel UHD620 + Nvidia GeForce MX150 4GB / Intel 120GB SSD / Win10 Pro x64

 

HP Envy x360 BP series Intel 8th gen

AMD ThreadRipper 2!

5820K & 6800K 3-way SLI mobo support list

 

Link to post
Share on other sites
1 hour ago, Ryujin2003 said:

My garage doesn't get good reception and one bathroom is basically dead thanks to a mirror. Otherwise, I live in a town house, so it's pretty easy for me to limit my access. When Verizon wireless it, I had them wire it to a central location even though it comes through a side wall. I did a friend's house as well, and he installed Ubiquity WAPs along the center wall, with his router and everything in the basement. Ran cable up the center so he didn't have to worry about neighbors trying to play with his stuff.

Yeah, that's not an option I had/have... I have already made all the changes I am able to, years ago. I don't get many passers-by at all, so unlikely anyone would be out here trying to scan for hidden SSIDs. And I have guest networks, so it's not like there's somehting "missing" that people might be curious about... and if anyone gets on the guest network they are isolated from seeing other devices and only have access to the internet. It's not labelled as a "guest" either.

Please quote my post, or put @paddy-stone if you want me to respond to you.

Spoiler
  • PCs:- 
  • Main PC build  https://uk.pcpartpicker.com/list/2K6Q7X
  • ASUS x53e  - i7 2670QM / Sony BD writer x8 / Win 10, Elemetary OS, Ubuntu/ Samsung 830 SSD
  • Lenovo G50 - 8Gb RAM - Samsung 860 Evo 250GB SSD - DVD writer
  •  
  • Displays:-
  • Philips 55 OLED 754 model
  • Panasonic 55" 4k TV
  • LG 29" Ultrawide
  • Philips 24" 1080p monitor as backup
  •  
  • Storage/NAS/Servers:-
  • ESXI/test build  https://uk.pcpartpicker.com/list/4wyR9G
  • Main Server https://uk.pcpartpicker.com/list/3Qftyk
  • Backup server - HP Proliant Gen 8 4 bay NAS running FreeNAS ZFS striped 3x3TiB WD reds
  • HP ProLiant G6 Server SE316M1 Twin Hex Core Intel Xeon E5645 2.40GHz 48GB RAM
  •  
  • Gaming/Tablets etc:-
  • Xbox One S 500GB + 2TB HDD
  • PS4
  • Nvidia Shield TV
  • Xiaomi/Pocafone F2 pro 8GB/256GB
  • Xiaomi Redmi Note 4

 

  • Unused Hardware currently :-
  • 4670K MSI mobo 16GB ram
  • i7 6700K  b250 mobo
  • Zotac GTX 1060 6GB Amp! edition
  • Zotac GTX 1050 mini

 

 

Link to post
Share on other sites
10 minutes ago, LAwLz said:

From my understanding (I can't stress it enough that I have not looked into this very much) you will be safe if either the AP or the client (or preferably both) are patched. So a patched client connected to an unpatched AP will be safe, and an unpatched client connected to a patched AP will be safe (I've only spent like 5 minutes reading this so I might be wrong).

8 minutes ago, tjcater said:

Well if this is true, then I will have nothing to worry about with this exploit. (I should still consider a new router but that's for another day)

Well... I might be wrong.

It is very much up in the air at this point.

 

The updates that have been pushed out fixes issues mentioned in the paper, but the client patches are apparently the really important ones. So it is unclear if just updating the AP, or just updating the client will be enough.

 

Also, I found this blog post which tries to keep an updated list of which vendors have fixed it.

At the time of writing:

Clients:

  • Microsoft - Have said that they have issued a patch but did not say which one. A proper statement should be released later today. It seems like Windows in general is unaffected.
  • Apple - No statement yet but as with Windows, it seems like it is largely unaffected by this.
  • Android - A fix as been released but as we all know, it is very unclear how many users will actually get updated. If you get a patch after November 6 then you are most likely safe.
  • Linux - A patch has been released.
  • BSD - A patch has been released since quite a while back.

WiFi hardware:

Ubiquiti - Fix has been released.

MikroTik - Fix has been released.

Meraki - Fix has been released.

Aruba - Fix has been released.

FortiNet - Fix has been released.

Cisco - Has released a Security Advisory about it but all patches are labeled as "TBD". Probably won't take long though considering they have already fixed Meraki products.

Link to post
Share on other sites
1 hour ago, LAwLz said:

Finally found it. I was looking under the network-wide tab and not the organization tab.

 

According to Meraki support KRACK has been fixed in version 24.11 (latest stable release).

They also recommend disabling 802.11r on all SSIDs but I have not looked into it enough to understand why that would be an issue.

 

 

It sounds to me like an update to the APs will be enough, but i haven't looked into it enough to say for sure yet.

Let's hope that is the case. Wireless vendors have been very quick with updating their stuff though, and I don't see a reason why they would fix anything if it was purely a client issue.

Just to add incase you hadn't noticed (sorry if you have) or for anyone else, if you are running MR33s, MR30Hs, or MR74s then you must update to 25.7, 24.11 will not cover you for those models.

System/Server Administrator - Networking - Storage - Virtualization - Scripting - Applications

Link to post
Share on other sites
29 minutes ago, LAwLz said:

Well... I might be wrong.

It is very much up in the air at this point.

 

The updates that have been pushed out fixes issues mentioned in the paper, but the client patches are apparently the really important ones. So it is unclear if just updating the AP, or just updating the client will be enough.

 

Also, I found this blog post which tries to keep an updated list of which vendors have fixed it.

At the time of writing:

Clients:

  • Microsoft - Have said that they have issued a patch but did not say which one. A proper statement should be released later today. It seems like Windows in general is unaffected.
  • Apple - No statement yet but as with Windows, it seems like it is largely unaffected by this.
  • Android - A fix as been released but as we all know, it is very unclear how many users will actually get updated. If you get a patch after November 6 then you are most likely safe.
  • Linux - A patch has been released.
  • BSD - A patch has been released since quite a while back.

WiFi hardware:

Ubiquiti - Fix has been released.

MikroTik - Fix has been released.

Meraki - Fix has been released.

Aruba - Fix has been released.

FortiNet - Fix has been released.

Cisco - Has released a Security Advisory about it but all patches are labeled as "TBD". Probably won't take long though considering they have already fixed Meraki products.

We received patches from Cisco. Our contact sent us an email with some details.

Link to post
Share on other sites
1 hour ago, LAwLz said:

Finally found it. I was looking under the network-wide tab and not the organization tab.

 

According to Meraki support KRACK has been fixed in version 24.11 (latest stable release).

They also recommend disabling 802.11r on all SSIDs but I have not looked into it enough to understand why that would be an issue.

 

 

It sounds to me like an update to the APs will be enough, but i haven't looked into it enough to say for sure yet.

Let's hope that is the case. Wireless vendors have been very quick with updating their stuff though, and I don't see a reason why they would fix anything if it was purely a client issue.

Can confirm, my Meraki AP and all of them at work mitigated this awhile back.

image.thumb.png.07c3e5e6f9d594452d7a8dd605dca2aa.png

Meraki Portal is now making customers aware. Please disable 802.11r if you haven't already. 

Intel i7 6700k @ 4.5GHz / Corsair H115i, Asus Maximus VIII Hero, Corsair Vengeance LPX DDR4 16GB @ 3000Mhz, AMD FuryX Crossfire, Sandisk Ultra II 960GB SDD , Sea Sonic 850w PSU, Corsair Vengeance C70 Black 

 

 

 

Link to post
Share on other sites

So I feel I must correct a misconception that I've seen circulating the internet regarding this.  This is a vulnerability in the implementation of WPA2 by various manufacturers, not the WPA2 protocol itself.  Practically, yes everything still needs to be patched but the implications of the two are vastly different.  The first can be fixed by software updates whereas the latter cannot and requires a new protocol.  

 

I've spent most of this morning reading the paper and various vendor product advisories so to summarize the details of this attack:
1) Exploits a Key Reinstallation attack through one of several vectors (4-way handshake, Group Key Exchange, or 802.11r [Fast BSS Transition])
2) Requires a Man-in-the-Middle (MITM) attack
3) Both client and AP/infrastructure are affected and both must be patched to fully mitigate this exploit
4) Affects both WPA2-PSK and WPA2-Enterprise as the vulnerability exists in the implementation of the protocol, not the authentication method
5) Most vendors have already issued patches for this vulnerability as they have known about it for months.  

Current Rig
AMD Ryzen 3700X - Asus ROG Strix X570-E - 32 GB GSkill TridentZ RGB
GeForce GTX 1080Ti - Samsung 840 Pro 256GB - Silverstone TJ07

Link to post
Share on other sites
10 hours ago, hey_yo_ said:

Most of them that’s why they’re frequently targeted for hacking. Don’t get me started with corporations using out of date operating systems and refusing update installations. 

I've seen car dealerships (goldmines of financial data) running hacked versions of windows.  2 years in the car business, and I could have had access to the financial info of most of the country.

 

Been to many hospitals still running XP, and a 98 machine once.

 

Terrifying

Link to post
Share on other sites
5 hours ago, leadeater said:

Even without going to a techy solution, all you need is 15 seconds of access to someone's phone that is connected who isn't paying attention to their device for example.

This is why I have fingerprint lock; complex code, and my phone never leaves my sight.

Link to post
Share on other sites
21 minutes ago, kingfurykiller said:

I've seen car dealerships (goldmines of financial data) running hacked versions of windows.  2 years in the car business, and I could have had access to the financial info of most of the country.

 

Been to many hospitals still running XP, and a 98 machine once.

 

Terrifying

To be fair most (I know there are exceptions) that are using those OSes are on an isolated network or are entirely isolated from any network. In those cases as long as it does the job there is no point in updating and taking a chance in incompatibilities. I know places that have machines running MS-DOS on modern hardware just for the sake of compatibility.

Link to post
Share on other sites

Also any Meraki users/businesses please use the drop down "help" menu to see the impact on your devices/network.

 

image.thumb.png.161d140418c086ba009a546521ecfed8.png

Intel i7 6700k @ 4.5GHz / Corsair H115i, Asus Maximus VIII Hero, Corsair Vengeance LPX DDR4 16GB @ 3000Mhz, AMD FuryX Crossfire, Sandisk Ultra II 960GB SDD , Sea Sonic 850w PSU, Corsair Vengeance C70 Black 

 

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×