× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Reply

KRACK Vulnerabilities

AngryDog
Guide

KRACK Vulnerabilities

Does the latest firmware fix any of the below vulnerabilities?

 

CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087, 13088

 

If not, when will firmware be released to fix these?

Model: WAC730|3x3 Wireless-AC Access Points
Message 1 of 31

Accepted Solutions
DaneA
NETGEAR Employee Retired

Re: KRACK Vulnerabilities

Message 31 of 31

All Replies
Auri
Star

Re: KRACK Vulnerabilities

Agreed - is a patch in the works? Hoping you won't ignore us.

 

FYI: I heard Microtik has a fix in their latest firmware.

 

For those of you who are unaware, below is a link to the vulnerability details. Basically, if you're using WPA2 encryption, which almost everyone is, you're vulnerable. Yowsa.

 

https://betanews.com/2017/10/16/krack-wpa2-security-vulnerability/

 

Message 2 of 31
AngryDog
Guide

Re: KRACK Vulnerabilities

Ubiquiti are also releasing a patch.  I belive that they have one available on beta test.  I've been trying to get my manager to move to Ubiquiti for a while, this could push us..

Message 3 of 31
Auri
Star

Re: KRACK Vulnerabilities

I also added a note to their IdeaBoard:

https://community.netgear.com/t5/Idea-Exchange-For-Business/Patch-for-Krack-Vulnerability/idi-p/1395...

Give it a thumb up and get their attention?

Message 4 of 31
AngryDog
Guide

Re: KRACK Vulnerabilities

Done!  This is serious and needs addressing ASAP.

 

My only query is, is that does a patched AP with an unpatched device (like a mobile phone / laptop) mean that it is secure?

Message 5 of 31
Auri
Star

Re: KRACK Vulnerabilities

From what I understand, as long as ONE device is patched, you're OK. It appears that the hack works by forging a copy of the Wi-Fi network, then getting the device onto the forged network. If the device doesn't require a certificate re-send on the hop to the new network, then it's vulnerable. I tweeted a link:

 

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf

 

Ideally, you want the client OS patched, and all routers as quickly as possible.

Message 6 of 31
AngryDog
Guide

Re: KRACK Vulnerabilities

Reading more into this, and thanks to your link, traffic sent via HTTPS doesn't seem to be affected?

 

Also, would using a VPN negate this as well?

Message 7 of 31
Auri
Star

Re: KRACK Vulnerabilities

It seems any tools for sniffing and decrypting network traffic would work once an attacker has you on "their" network. So, I'm thinking VPN and HTTPS should be pretty safe, since they're encrypted from the client to the destination. However, that doesn't preclude an attacker from recording the packets and eventually decrypting them. You're on "their" network, after all. At least, that's the way I see it.

Message 8 of 31
AngryDog
Guide

Re: KRACK Vulnerabilities

Yes that would make sense.  The idea is though to make sure you're not on "their" network, and the only way of doing that currently is to effectively get patched, once patches are available.

 

The issue is, when are those patches going to be available?  It has become an arms race.

Message 9 of 31
RaghuHR
NETGEAR Expert

Re: KRACK Vulnerabilities

WAC720/WAC730 - > firmware version 3.7.12.0 is having the fix.

 

  • Fixed security vulnerabilities in WPA2 handshake mechanism.

 

Please refer the link below for more details.

 

https://kb.netgear.com/000049001/WAC720-WAC730-Firmware-Version-3-7-12-0

 

Thanks

Raghu

 

 

 

Message 10 of 31
AngryDog
Guide

Re: KRACK Vulnerabilities

Thanks.  I did see that but wasn't sure as it isn't very specific, and I like specifics!

Message 11 of 31
AngryDog
Guide

Re: KRACK Vulnerabilities

Well that was fun.  The firmware update broke the Access Point, thanks for that.

Message 12 of 31
Auri
Star

Re: KRACK Vulnerabilities

Which firmware update? Haven't seen a new one come through yet.

Message 13 of 31
Auri
Star

Re: KRACK Vulnerabilities

It helps to scroll up. I'll try it today! Thanks!

Message 14 of 31
Auri
Star

Re: KRACK Vulnerabilities

Ahh, I see. I have an R8000 X6 Nighthawk consumer router. Will there be a firmware update coming for that product?

Message 15 of 31
AngryDog
Guide

Re: KRACK Vulnerabilities

I wouldnt use it.  Its broken the Access Point here.  I am not amused.

Message 16 of 31
Tkrbt78
Aspirant

Re: KRACK Vulnerabilities

You aren't on "their" network. This vulnerability allows the attacker to steal your key and then spy on all of your network packets; they don't need to be connected to your network, and you don't need to be connected to theirs.

However, any connection you make from a device to a server, such as your bank, should be protected if you are using adequate encryption for that session. This is analogous to tapping your phone line, but if you are using strong encrypted communications all the eavesdropper hears is noise.
Message 17 of 31
Galt
Aspirant

Re: KRACK Vulnerabilities

When will a firmware patch to address the Krack WPA/WPA2 vulnerability be released for the Orbi RBK53 (RBR50)?

 

Thanks.

Message 18 of 31
slatedrake
Initiate

Re: KRACK Vulnerabilities

Second vote for patch for X6 AC32000 Nighthawk (R8000)

Message 19 of 31
cheh6ThUp5et
Aspirant

Re: KRACK Vulnerabilities

I have the Netgear Nighthawk R6900.

 

I just ran the routerlogin.net based update check and it gave me V1.0.1.28_1.0.21 firmware.  Then it said this is the latest firmware available.  Does this firmware have the fix for KRACK?

 

Thank you very much.

 

 

 

Message 20 of 31
mdgm-ntgr
NETGEAR Employee Retired

Re: KRACK Vulnerabilities

NETGEAR is aware of the recently publicized security exploit KRACK, which takes advantage of security vulnerabilities in WPA2 (WiFi Protected Access II).  NETGEAR has published fixes for multiple products and is working on fixes for others. Please follow the security advisory for updates.

 

NETGEAR appreciates having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at NETGEAR.

 

To protect users, NETGEAR does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, NETGEAR will announce the vulnerabilities from NETGEAR Product Security web page.

Message 21 of 31
Auri
Star

Re: KRACK Vulnerabilities

Heads up that Windows, macOS, iOS, watchOS, and tvOS have already been patched as of last Tuesday.

 

Netgear - why, after about 2 months, is this not patched across current routers? Is it just a developer capacity issue? I could understand that... just not clear on the blanket "we're aware of it" statement. Anything we can do to help?

Message 22 of 31
mdgm-ntgr
NETGEAR Employee Retired

Re: KRACK Vulnerabilities

It's my understanding that the Apple fixes are in beta, not production updates at this point.

 

You can read how a range of companies have responded to requests for comment on KRACK: KRACK attack: Here's how companies are responding

 

You can follow our security advisory for updates.

Message 23 of 31
Krobar
Aspirant

Re: KRACK Vulnerabilities

Looks like the standalone WAC720 firmware has been updated but the enclosed firmware with the WC7500 has not been updated. Is there a suitable firmware due soon for the WC7500? IS there some way of updating the firmware deployed by the WC7500 to the WAC720 points?
Model: WAC720|2x2 Wireless-AC Access Points
Message 24 of 31
Auri
Star

Re: KRACK Vulnerabilities

Message 25 of 31
Top Contributors
Discussion stats
  • 30 replies
  • 32005 views
  • 27 kudos
  • 12 in conversation
Announcements