Forum Discussion

Guide

Oct 16, 2017

Solved

KRACK Vulnerabilities

Does the latest firmware fix any of the below vulnerabilities? CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087, 13088 If not, when will firmware be released to fix thes...

Firmware

Security

DaneA
Oct 25, 2017
Let me share this forum link:

https://community.netgear.com/t5/Business-Wireless/NETGEAR-Access-Points-and-KRACK-WPA2-Vulnerabilities/m-p/1403956#M4230

mdgm-ntgr

NETGEAR Employee Retired

Oct 17, 2017

NETGEAR is aware of the recently publicized security exploit KRACK, which takes advantage of security vulnerabilities in WPA2 (WiFi Protected Access II). NETGEAR has published fixes for multiple products and is working on fixes for others. Please follow the security advisory for updates.

NETGEAR appreciates having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at NETGEAR.

To protect users, NETGEAR does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, NETGEAR will announce the vulnerabilities from NETGEAR Product Security web page.

Auri

Star

Oct 17, 2017

Heads up that Windows, macOS, iOS, watchOS, and tvOS have already been patched as of last Tuesday.

Netgear - why, after about 2 months, is this not patched across current routers? Is it just a developer capacity issue? I could understand that... just not clear on the blanket "we're aware of it" statement. Anything we can do to help?

mdgm-ntgr
NETGEAR Employee Retired
Oct 18, 2017
It's my understanding that the Apple fixes are in beta, not production updates at this point.

You can read how a range of companies have responded to requests for comment on KRACK: KRACK attack: Here's how companies are responding

You can follow our security advisory for updates.
- Krobar
  Aspirant
  Oct 18, 2017
  Looks like the standalone WAC720 firmware has been updated but the enclosed firmware with the WC7500 has not been updated. Is there a suitable firmware due soon for the WC7500? IS there some way of updating the firmware deployed by the WC7500 to the WAC720 points?
  - kohdee
    NETGEAR Expert
    Oct 18, 2017
    Krobar wrote:
    Looks like the standalone WAC720 firmware has been updated but the enclosed firmware with the WC7500 has not been updated. Is there a suitable firmware due soon for the WC7500? IS there some way of updating the firmware deployed by the WC7500 to the WAC720 points?
    
    We are still validating if controllers are affected. At this exact moment, we do not believe the controller-controlled APs are affected, but standalone versions of them are. Please stay tuned to the KB article, which will be updated when we absolutely confirm the state of the controllers.
- Auri
  Star
  Oct 18, 2017
  Correct, apparently it's in betas and not released. My bad. http://appleinsider.com/articles/17/10/16/apple-confirms-krack-wi-fi-wpa-2-attack-vector-patched-in-ios-tvos-watchos-macos-betas
  - Auri
    Star
    Oct 18, 2017
    To be fair to Netgear and all the other router + OS manufacturers: Software development is hard. Testing is hard. Shipping fixes for dozens of products, all with different versions of software, is hard. So, I understand only 45 days was probably enough time to get a patch out there. For the security researchers, I feel they should have given 90 days embargo. I'm not clear on those details, but 45 days lead time before exploit release seems pretty tough for a software company, and tremendously difficult for a hardware company.