Waiting for a patch from Netgear on KRACK vulnerability in its WPA2 algorithm.

---

Tr4nc3 wrote:

Hi Netgear,

I think this is really important and should be monitored closely and all the wifi users should ask the vendors to monitor an patch this.

Looks like that WPA2 is about to be cracked and the details / exploit will be released soon.

the US CERT released this note:

"

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017."

 

Looks like that Aruba , Ubiquiti, Microtik, and other vendors are adressing the issue on software updates.

Can you please let me and all the users know if NETGEAR is currently looking on this ? 

Are you going to update your software to fix all the reported CVEs ?

 

List of CVEs:

CWE-323
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13083
CVE-2017-13084
CVE-2017-13085
CVE-2017-13086
CVE-2017-13087

 

More details:

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-tra...

---

Agreed. Every single Netgear device with Wi-Fi is vulnerable to this and while other vendors already have firmware updates addressing this vulnerability Netgear has nothing!

guys but this is catch 22.... have a stable-ish system with the wifi bug or have a secure system and a broken orbi...... 

Some other vendors already released patches (OpenBSD, Mikrotik...) thus NetGear must demonstrate to the community that security is a serious topic for them.

You can also find information here https://www.krackattacks.com/

And from that very site, prominently in the FAQ:

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

Hey   rhester72, good point ... Indeed looks to be on the client side but we need to remember that on a Mesh network the satelite is also a client of the main router or other satelities .

Sniffing the traffic from the satelite to the router would have all the connections of the connected devices and backhaul communication .... so you would be able to sniff the network traffic just like an old network HUB.

I would love to hear from Netgear on this and if they managed to test this attack surface.

Hi Netgear. I have a router Nighthawk X6 | Tri-Band WiFi Router | AC3200 (R8000) | NETGEAR.

Any news about the WPA2 Security Flaw patch??

When do you release it? It's urgent!

Thanks

I _think_ the Orbi backhaul traffic is double-encrypted, both with WPA2 on-the-wire and a second layer of encryption at the layer 7 level between the devices, which would make a MITM attack fruitless (if inconvenient, because it would obviously break comms between the satellite and router).

It would be nice to hear an official position from Netgear.

Does the recent firmware version 2.0.0.74 for the Orbi AC3000 mesh WiFi system contain a fix for the WPA2 - KRACK vulnerability? According to the Vulnerability Notes Database, Netgear was notified on August 28, 2017 concerning this critical problem (https://www.kb.cert.org/vuls/id/CHEU-AQNMYE). If this latest firmware does not contain a fix, will Netgear be supplying one in the very near future?

Hello Netgear,

Please advise status of patching for crackattacks exploit. I turned the router radios off to mitigate but this is not a long term solution. Firmware V1.0.3.54_1.1.37.

Thanks,

Jarmo

According to this -- https://www.kb.cert.org/vuls/id/228519 -- Netgear was notified of the issue on August 28, along with just about everybody else except for a few firms that got the news in September. Since then, Netgear has offered two firmware updates for the WNDR3400 line, the last (1.0.1.14) on October 4. It is possible the fix is already in, but if so why is Netgear holding its silence rather than reassuring its millions of users?

We don't know when Netgear was notified of the details of this attack, at the most it was a month (since early sept) That is not enough time for some companies to patch depending on thier processes.

Also this attack is mostly client side, and Android / Linux seems to be the most vulernable. Other clients are too based on FAST 802.11R prorotocal, but you can turn that off in Orib within the new Firmware.

In essence, by turning off FAST roaming at the router you are protecting as much as you can from a router perspective, and the rest is up to the devices that attach. Make sure you update all of your IOT devices such as cameras, TV's and Android devices.

Apple already has a patch in beta that should be release before any attack actually surfaces.

Thanks AAZ,

All vendors were notified in late June.

Jarmo

https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-...

orbi 2.0.0.74 and lower is vulnerable according to this : https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-...

I'm also waiting for a response from Netgear regarding this issue, it's a very serious vulnerability, many vendors have already started providing a patch.

Hello Ely,

Please see https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-... . Looks like WAPs are only vulnerable in bridge mode - meaning you need at least 2. The vulnerable handshake would occur when they 'pair'. Which makes sense, as the WAP is not going to try to initiate a handshake session with an endpoint, it's the other way around. Good luck!

Jarmo

Hopefully it won't take too long for Netgear to release updated firmware for the Orbi's that address the KRACK vulnerability.  

Also look into updating all of your clients, when updates actually become available.

I have to say...given the known facts about the disclosure of the vulnerability to vendors, I'm not sure 'proactive' is the word I'd use, and the whole reason this thread exists is because CERT waited as long as they could before a coordinated announcement...thus the exact details of the vulnerabilities are very much released as a call to action to those who failed to respond in a timely fashion.

I appreciate that Netgear has a very large number of affected products in the wild, but given that is literally your line of business and that severe security vulnerabilities are discovered against the most common components of consumer network gear every few months, it's really just part of the business model.

To be honest, I'd have preferred a response along the lines of "our bad, we've too many products to patch in only two months, we've hired staff and are literally working three shifts a day to resolve this, please stay tuned for weekly status updates" versus "we're a very proactive company who doesn't release information for your protection".  It rings very, very hollow.

So what about recent router models like mine that aren't mentioned in Netgear's announcement? Do they not need a patch (unlikely!), or is Netgear abandoning them?