NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
WPA2 - KRACK / Vulnerability
Hi Netgear,
I think this is really important and should be monitored closely and all the wifi users should ask the vendors to monitor an patch this.
Looks like that WPA2 is about to be cracked and the details / exploit will be released soon.
the US CERT released this note:
"
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017."
Looks like that Aruba , Ubiquiti, Microtik, and other vendors are adressing the issue on software updates.
Can you please let me and all the users know if NETGEAR is currently looking on this ?
Are you going to update your software to fix all the reported CVEs ?
List of CVEs:
CWE-323
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13083
CVE-2017-13084
CVE-2017-13085
CVE-2017-13086
CVE-2017-13087
More details:
NETGEAR is aware of the recently publicized security exploit KRACK, which takes advantage of security vulnerabilities in WPA2 (WiFi Protected Access II). NETGEAR has published fixes for multiple products and is working on fixes for others. Please follow the security advisory for updates.
NETGEAR appreciates having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at NETGEAR.
To protect users, NETGEAR does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, NETGEAR will announce the vulnerabilities from NETGEAR Product Security web page.
44 Replies
Waiting for a patch from Netgear on KRACK vulnerability in its WPA2 algorithm.
Tr4nc3 wrote:Hi Netgear,
I think this is really important and should be monitored closely and all the wifi users should ask the vendors to monitor an patch this.
Looks like that WPA2 is about to be cracked and the details / exploit will be released soon.
the US CERT released this note:
"
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017."
Looks like that Aruba , Ubiquiti, Microtik, and other vendors are adressing the issue on software updates.
Can you please let me and all the users know if NETGEAR is currently looking on this ?
Are you going to update your software to fix all the reported CVEs ?
List of CVEs:
CWE-323
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13083
CVE-2017-13084
CVE-2017-13085
CVE-2017-13086
CVE-2017-13087More details:
Agreed. Every single Netgear device with Wi-Fi is vulnerable to this and while other vendors already have firmware updates addressing this vulnerability Netgear has nothing!
guys but this is catch 22.... have a stable-ish system with the wifi bug or have a secure system and a broken orbi......
Some other vendors already released patches (OpenBSD, Mikrotik...) thus NetGear must demonstrate to the community that security is a serious topic for them.
You can also find information here https://www.krackattacks.com/
And from that very site, prominently in the FAQ:
What if there are no security updates for my router?
Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
Hi Netgear. I have a router Nighthawk X6 | Tri-Band WiFi Router | AC3200 (R8000) | NETGEAR.
Any news about the WPA2 Security Flaw patch??
When do you release it? It's urgent!
Thanks
Does the recent firmware version 2.0.0.74 for the Orbi AC3000 mesh WiFi system contain a fix for the WPA2 - KRACK vulnerability? According to the Vulnerability Notes Database, Netgear was notified on August 28, 2017 concerning this critical problem (https://www.kb.cert.org/vuls/id/CHEU-AQNMYE). If this latest firmware does not contain a fix, will Netgear be supplying one in the very near future?
orbi 2.0.0.74 and lower is vulnerable according to this : https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837
Hopefully it won't take too long for Netgear to release updated firmware for the Orbi's that address the KRACK vulnerability.
Also look into updating all of your clients, when updates actually become available.
Hello Netgear,
Please advise status of patching for crackattacks exploit. I turned the router radios off to mitigate but this is not a long term solution. Firmware V1.0.3.54_1.1.37.
Thanks,
Jarmo
According to this -- https://www.kb.cert.org/vuls/id/228519 -- Netgear was notified of the issue on August 28, along with just about everybody else except for a few firms that got the news in September. Since then, Netgear has offered two firmware updates for the WNDR3400 line, the last (1.0.1.14) on October 4. It is possible the fix is already in, but if so why is Netgear holding its silence rather than reassuring its millions of users?
We don't know when Netgear was notified of the details of this attack, at the most it was a month (since early sept) That is not enough time for some companies to patch depending on thier processes.
Also this attack is mostly client side, and Android / Linux seems to be the most vulernable. Other clients are too based on FAST 802.11R prorotocal, but you can turn that off in Orib within the new Firmware.
In essence, by turning off FAST roaming at the router you are protecting as much as you can from a router perspective, and the rest is up to the devices that attach. Make sure you update all of your IOT devices such as cameras, TV's and Android devices.
Apple already has a patch in beta that should be release before any attack actually surfaces.
Thanks AAZ,
All vendors were notified in late June.
Jarmo
Just to put things into perspective, the KRACK attack is not so much a router attack as a client one. So the satellite may need updating (assuming it's using WPA for securing connectivity) but the router doesn't necessarily need one. See the following from the KRACK discoverer's site:
SOLUTION = BETA FIRMWARE PATCH
NetGear released a patch on 2017-11-02.
Although I had contacted support via email, I never received any response, whether "yes, it's a problem" or "we've issued a patch."
Not the best experience, not a way to build confidence.
But, at least there is finally a patch.
Is this patch going to be part of the next Firmware release or we will need to patch again after taking next Firmware?
Downloaded both files
unzipped both and read the release notes.
backed up 2.0.0.74 settings
manually installed 2.0.0.76 beta on both RBS50 units
once they rebooted and came back up on the new firmware
manually installed 2.0.0.76 beta on the RBR50
checked all settings and nothing changed...
BUT, normally when you install a beta firmware you are supposed to hard reset (paperclip) the router and satellites and then manually configure them from scratch. This is to implement the new code.
You are NOT supposed to restore from the backup you made on the previous version of firmware either. This is to preclude any settings being brought forward that may conflict or improperly interact with the new firmware.
It made no mention of doing this on the beta firmware page or in the readme files... so I didn't do it and don't really know if the "hotfix" is actually implemented and running on the RBK53 system. All devices report they are running the new firmware, but are they really without a hard reset?
I am going to defer to Netgear admins to provide clarification on this topic.
Hi,
Trying to update my setup, starting with the sattelite, I do a manual update, select the proper firmware, it uploads and that's it, nothing happens.
Any suggestions?
Download and unzip the RBR and RBS beta firmware.
Power cycle all your devices (RBR50 and RBS50(s))
once everything is up, go to advanced>administration>attached devices
write down the IP address(s) of the satellite(s)
enter the satellite(s) IP address in your browser
enter the UID and PWD (same as your router)
select firmware update
browse and navigate to the unzipped folder for the RBS units
select and open the img file
select upload
that should get the job done.
