Community discussions

 
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1367
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 9:00 am

On October 16. CERT/CC/ICASI released a public announcement about discovered vulnerabilities in WPA2 handshake protocols that affect most WiFi users and all vendors world wide.
RouterOS v6.39.3, v6.40.4, v6.41rc are not affected!
It is important to note that the vulnerability is discovered in the protocol itself, so even a correct implementation is affected.
These organizations did contact us earlier, so we have already released fixed versions that address the outlined issues. Not all of the discovered vulnerabilities directly impact RouterOS users, or even apply to RouterOS, but we did follow all recommendations and improved the key exchange process according to the guidelines we received from the organizations who discovered the issue.
We released fixed versions last week, so if you upgrade your devices routinely, no further action is required.
CWE-323
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13084
CVE-2017-13086
CVE-2017-13087
CVE-2017-13088

The following applies to RouterOS software prior to updates related to the issue.

nv2
nv2 is not affected in any way. This applies to both - nv2 AP and client. There is no nonce reset in key exchange possible and key re-installation is not possible, because nv2 key exchange does not directly follow 802.11 key exchange specification.

802.11 nonce reuse
RouterOS is not affected in any way, RouterOS generates cryptographically strong random initial nonce on boot and never reuses the same nonce during uptime.

802.11 key reinstallation
The device operating as client in key exchange is affected by this issue. This means that RouterOS in station modes and APs that establish WDS links with other APs are affected. RouterOS APs (both - standalone and CAPsMAN controlled), that do not establish WDS links with other APs, are not affected. Key reinstallation by resending key exchange frame allows attacker to reset encrypted frame packet counter. This allows attacker to replay frames that where previously sent by AP to client. Please note that RouterOS DOES NOT reset key to some known value that would allow attacker to inject/decrypt any frames to/from client.

Suggested course of action
It is always recommended to upgrade to latest RouterOS version, but depending on wireless protocol and mode the suggested course of action is as follows:
- nv2: no action necessary
- 802.11/nstreme AP without WDS: no action necessary
- CAPsMAN: no action necessary
- 802.11/nstreme client (all station modes) or AP with WDS: upgrade to fixed version ASAP.

For AP devices:
ModeCourse of action
nv2No upgrade necessary
nstremeNo upgrade necessary
WiFiNo upgrade necessary
CAPsMAN WiFiNo upgrade necessary
WDS WiFi/nstremeUpgrade required
For CPE devices (MikroTik Station mode):
ModeCourse of action
nv2No upgrade necessary
WiFiUpgrade required
nstremeUpgrade required
*Please contact your vendor for any 3rd party devices in the network.
 
paulct
Member Candidate
Member Candidate
Posts: 263
Joined: Fri Jul 12, 2013 5:38 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 9:34 am

Well done on the quick response.
 
Erayd
just joined
Posts: 5
Joined: Mon Nov 09, 2015 9:59 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 9:52 am

Well done on the quick response.
Agreed. I just found out about this, headed to the forums to see what (if any) mitigation options were available, and discovered that my APs were already sorted. Thank you :-).

Noting the details about this vulnerability are currently scarce - is it sufficient that the APs be patched to address the issue, or might older (non-mikrotik) clients still be vulnerable to this problem, even when the AP is running a non-vulnerable implementation?
 
User avatar
kometchtech
Member Candidate
Member Candidate
Posts: 194
Joined: Sat Jun 15, 2013 4:25 am
Location: Japan
Contact:

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 10:33 am

Basically, is it OK to understand Routerboard with AP function as target?
If you are using the CAPsMAN function with Rotuerboard without AP function, is this Routerboard also applicable?
--
Routerboard Users Group JP
http://www.rb-ug.jp/
CCR1009-8G-1S-1S+, RB750Gr3, CRS226-24G-2S+, RB850Gx2, RB960PGS, CRS317-1G-16S+,
RB2011UAS, CRS125-24G-1S, RB962UiGS-5HacT2HnT, CRS212-1G-10S-1S+, RB3011UiAS
 
Berlic
just joined
Posts: 3
Joined: Wed Apr 25, 2012 8:34 am

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 10:36 am

Hello, thank you for rapid response with the patch.

But I'm not seeing 6.39.3 as available update for my router.
It just shows v6.39.2 (stable) as current version, and no packages are available at auto-upgrade section. Is there a reason?
 
okazdal
Trainer
Trainer
Posts: 21
Joined: Fri Aug 07, 2015 4:44 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 10:44 am

Hello, thank you for rapid response with the patch.

But I'm not seeing 6.39.3 as available update for my router.
It just shows v6.39.2 (stable) as current version, and no packages are available at auto-upgrade section. Is there a reason?
Hi,
6.39.3 is on bugfix channel.

Osman Kazdal
 
Berlic
just joined
Posts: 3
Joined: Wed Apr 25, 2012 8:34 am

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 10:47 am

6.39.3 is on bugfix channel.
Thanks! Updated my router manually from bugfix channel (via Packages tab, not Auto-Upgrade)! But will have to find out why update-upgrade is not working as I'd have expected.
 
sid5632
Member Candidate
Member Candidate
Posts: 277
Joined: Fri Feb 17, 2017 6:05 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 10:53 am

But I'm not seeing 6.39.3 as available update for my router.
It just shows v6.39.2 (stable) as current version, and no packages are available at auto-upgrade section. Is there a reason?
What sort of response do you expect when you haven't said what model your router is???
Duh.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 11:13 am

Since the Bugfix channel was updated last, it could be possible your local network still has the previous release info cached. Should be available soon.
No answer to your question? How to write posts
 
Mplsguy
MikroTik Support
MikroTik Support
Posts: 226
Joined: Fri Jun 06, 2008 5:06 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 11:19 am

Basically, is it OK to understand Routerboard with AP function as target?
If you are using the CAPsMAN function with Rotuerboard without AP function, is this Routerboard also applicable?
Actually it is station mode device that is primary target and needs to be fixed. RouterOS APs in AP mode (either standalone or controlled by CAPsMAN) are not affected by this - improvements are in station mode code.
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 120
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 11:28 am

Hi :)

First, congratulations (and a big thank you!) on the quick response. One more reason to stick to Mikrotik.

Now, a suggestion. RouterOS has been affected by the WPA2 vulnerability but you have released a fix. I would certainly rephrase that
announcement. I guess some people will just read the subject and say "phew, I'm secure!"
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 11:42 am

Hi :)

First, congratulations (and a big thank you!) on the quick response. One more reason to stick to Mikrotik.

Now, a suggestion. RouterOS has been affected by the WPA2 vulnerability but you have released a fix. I would certainly rephrase that
announcement. I guess some people will just read the subject and say "phew, I'm secure!"
In the statement, we included a line, maybe it was not clearly phrased. One of the biggest issues that was mentioned, never applied to RouterOS at all ("nonce reuse"). We did include other general suggestions from CERT for key exchange improvement. So part of that stuff never affected RouterOS. Other part was addressed.
No answer to your question? How to write posts
 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 120
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 11:49 am

In the statement, we included a line, maybe it was not clearly phrased. One of the biggest issues that was mentioned, never applied to RouterOS at all ("nonce reuse"). We did include other general suggestions from CERT for key exchange improvement.
Oh alright, then I misunderstood. Sorry!

I assumed that this problem affected all the implementations.

In that case, double kudos apply.
 
Ivotje
just joined
Posts: 1
Joined: Mon Oct 16, 2017 12:21 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 12:23 pm

All routers updated, only my Caps-man forgot what certs to use so it decided to turn off.
Without wifi, it must be a lot safer ;)

Setting the certs to the right values and everything was working like a charm again ;)
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1030
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 12:36 pm

So what does this mean exactly in general? Can the password be stolen? How has Mikrotik fixed it, if it is the protocol itself who is vulnerable?
-Toni-
Don't crash the ambulance, whatever you do
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 12:44 pm

So what does this mean exactly in general? Can the password be stolen? How has Mikrotik fixed it, if it is the protocol itself who is vulnerable?
All details just published here: https://www.krackattacks.com
No answer to your question? How to write posts
 
R1CH
Forum Veteran
Forum Veteran
Posts: 724
Joined: Sun Oct 01, 2006 11:44 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 3:50 pm

It's important to note that this is a client vulnerability - patching your router / AP does not prevent the attack from working on connected devices. You need to update almost every device that has WPA2 support.
 
fatmacheto
just joined
Posts: 8
Joined: Fri Jul 25, 2014 1:07 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 5:40 pm

Vendor Information for VU#228519
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse
VendorStatusDate NotifiedDate Updated
Aruba NetworksAffected28 Aug 201709 Oct 2017
CiscoAffected28 Aug 201710 Oct 2017
Espressif SystemsAffected22 Sep 201713 Oct 2017
Fortinet, Inc.Affected28 Aug 201716 Oct 2017
FreeBSD ProjectAffected28 Aug 201712 Oct 2017
HostAPAffected30 Aug 201716 Oct 2017
Intel CorporationAffected28 Aug 201710 Oct 2017
Juniper NetworksAffected28 Aug 201728 Aug 2017
Microchip TechnologyAffected28 Aug 201716 Oct 2017
Red Hat, Inc.Affected28 Aug 201704 Oct 2017
Samsung MobileAffected28 Aug 201712 Oct 2017
Toshiba Commerce SolutionsAffected15 Sep 201713 Oct 2017
Toshiba Electronic Devices & Storage CorporationAffected28 Aug 201716 Oct 2017
Toshiba Memory CorporationAffected28 Aug 201716 Oct 2017
Ubiquiti NetworksAffected28 Aug 201716 Oct 2017
ZyXELAffected28 Aug 201713 Oct 2017
Arista Networks, Inc.Not Affected28 Aug 201709 Oct 2017
Lenovo Not Affected28 Aug 201711 Oct 2017
MikroTik Not Affected28 Sep 201716 Oct 2017
VMware Not Affected28 Aug 201716 Oct 2017
 
User avatar
CyB3RMX
Member Candidate
Member Candidate
Posts: 129
Joined: Thu May 26, 2011 7:08 am

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 6:46 pm

Nice!
Have a great day!
Certified: MTCNA - MTCWE - MTCRE
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 7:53 pm

It's funny that Mikrotik already had this patched in the most recent bugfix and stable release trains, while Ubiquiti's response on AirMax is that it's "not as easy" on AirMax shots, and that a patched beta will be released later this week.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
slimmerwifi
just joined
Posts: 12
Joined: Tue Aug 01, 2017 6:05 pm
Location: Netherlands

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 7:54 pm

Great work guys :-)
We manage 50+ corporate wifi networks in the Netherlands using Mikrotik & Cloudcore equipment.
 
User avatar
loghmanpour
just joined
Posts: 1
Joined: Sat Aug 05, 2017 6:26 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 8:05 pm

Thanks for publishing and informing.
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1030
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 8:26 pm

It's important to note that this is a client vulnerability - patching your router / AP does not prevent the attack from working on connected devices. You need to update almost every device that has WPA2 support.
Which means every device :) ( I guess every one secures wireless connection on WPA2)
If I understood it correctly, if you patch the AP you will practically secure the third handshake of WPA2 which AP sends if client drops. But is the client still listening for a resend? I am curious about the method Mikrotik used to fix this vulnerability of the protocol itself, although as far as we know Mikrotik was not affected even in previous versions of ROS.
-Toni-
Don't crash the ambulance, whatever you do
 
User avatar
pcunite
Long time Member
Long time Member
Posts: 634
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 8:44 pm

From the link:

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1102
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 10:02 pm

Good job on the fast announcement and staying on top of the vulnerabilities.

Specially thanks for the additional per-protocol information and the clarification that was added after the initial post!
(for people coming in later - the bottom half of MikroTiks post was added after official information became available at 14:00 CET)
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 246
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: RouterOS NOT affected by WPA2 vulnerabilities

Mon Oct 16, 2017 11:45 pm

Thanks for fast and clear information.
 
pacman88
just joined
Posts: 23
Joined: Mon Aug 22, 2016 7:08 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Tue Oct 17, 2017 12:15 am

Hi

when I read about the vulnerability this morning I immediatly checked the forum and was very happy to read this announcement. I updated all my access points and was quite relieved this should not concern me anymore. Now that there is more information and as it was already quoted:
From the link:

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
I am asking myself if my networks really are secure just because I upgraded my access points. To me it reads more like this was a client issue and may not be resolved by patching an access point?

May someone come up with a more detailed explanation how the update to my AP will solve this issue?

BR
Alex
 
jandafields
Forum Guru
Forum Guru
Posts: 1513
Joined: Mon Sep 19, 2005 6:12 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Tue Oct 17, 2017 12:28 am

Hi

when I read about the vulnerability this morning I immediatly checked the forum and was very happy to read this announcement. I updated all my access points and was quite relieved this should not concern me anymore. Now that there is more information and as it was already quoted:
From the link:

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
I am asking myself if my networks really are secure just because I upgraded my access points. To me it reads more like this was a client issue and may not be resolved by patching an access point?

May someone come up with a more detailed explanation how the update to my AP will solve this issue?

BR
Alex
Some routers also have Client/Station mode (instead of being an AP) and are therefore vulnerable in those modes.
 
pacman88
just joined
Posts: 23
Joined: Mon Aug 22, 2016 7:08 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Tue Oct 17, 2017 12:35 am

Than this announcement was terribly misleading and is causing a false sense of safety. This is fucking dangerous and must not happen!!!!

It must be explicitly stated in which cases the update will help and even more importantly in which cases it will not, especially if it will not mitigate the vulnerability in the majority of cases.

@Mikrotik:
please update your initial post to clarify exactly what the update will prevent and what it will not!

BR
Alex
 
User avatar
agix
just joined
Posts: 2
Joined: Mon Aug 17, 2015 2:46 am
Location: Indonesia

Re: RouterOS NOT affected by WPA2 vulnerabilities

Tue Oct 17, 2017 4:03 am

Thanks for info, im always keep up to date for my mikrotik.
 
User avatar
chebedewel
just joined
Posts: 4
Joined: Tue Feb 02, 2016 6:41 am
Location: Noumea
Contact:

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Tue Oct 17, 2017 7:54 am

Thank you for the details and the quick publication. update in progress ^_^
Bertrand Cherrier
MTCNA - MTCTCE
_______________________________________________________
MikroTik Consultant & Distributor for New Caledonia
 
sparrow
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Wed Jul 11, 2012 10:59 am

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Tue Oct 17, 2017 11:12 am

802.11/nstreme client (all station modes)
So all client that use nstreme in station-bridge mode need to be upgraded too??
Thanks
MTCNA - MTCRE - MTCWE
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1688
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Tue Oct 17, 2017 12:23 pm

802.11/nstreme client (all station modes)
So all client that use nstreme in station-bridge mode need to be upgraded too??
Thanks
Sorry, but "all station modes" mean "all station modes" :)
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
sparrow
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Wed Jul 11, 2012 10:59 am

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Tue Oct 17, 2017 12:31 pm

802.11/nstreme client (all station modes)
So all client that use nstreme in station-bridge mode need to be upgraded too??
Thanks
Sorry, but "all station modes" mean "all station modes" :)
Yes I Know but I wanted to be sure to have understood well!
Thanks a lot
MTCNA - MTCRE - MTCWE
 
Jeroen1000
Member Candidate
Member Candidate
Posts: 195
Joined: Fri Feb 18, 2011 2:05 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Tue Oct 17, 2017 4:23 pm

Hi

when I read about the vulnerability this morning I immediatly checked the forum and was very happy to read this announcement. I updated all my access points and was quite relieved this should not concern me anymore. Now that there is more information and as it was already quoted:
From the link:

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
I am asking myself if my networks really are secure just because I upgraded my access points. To me it reads more like this was a client issue and may not be resolved by patching an access point?

May someone come up with a more detailed explanation how the update to my AP will solve this issue?

BR
Alex
Hi Alex

You can fix the 4-way handshake issue either at the client side or at the Access Point side. That is where your confusion comes from. Seeing you do not have every AP under your administrative control, updating the client is the best approach for home users. However, not all clients (looking at Android phones here!) will receive a patch. So it's good practice to also fix it at the AP side:-). Consult the manufacturer for more information whether this fix also works when the client is still vulnerable.

If your AP acts as a client, called station mode (or bridge mode), then fixing the AP that is in station mode is a must unless the AP it is connecting to already has the fix.
 
andriys
Forum Guru
Forum Guru
Posts: 1051
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: RouterOS NOT affected by WPA2 vulnerabilities

Tue Oct 17, 2017 4:43 pm

You can fix the 4-way handshake issue either at the client side or at the Access Point side. ... So it's good practice to also fix it at the AP side:-).
Wrong!!! KRACK is a pure client-side attack. Patching AP will give you nothing.
 
bratislav
newbie
Posts: 49
Joined: Mon May 05, 2014 10:36 am

Re: RouterOS NOT affected by WPA2 vulnerabilities

Tue Oct 17, 2017 6:49 pm

You can fix the 4-way handshake issue either at the client side or at the Access Point side. ... So it's good practice to also fix it at the AP side:-).
Wrong!!! KRACK is a pure client-side attack. Patching AP will give you nothing.
Worse!!! Patching AP will just give some people false sense of security when in fact every client on the WiFi network is vulnerable, Android the most but also every other client WPA implementation regardless, and that could allow an attacker to make a havoc in your network ... so look for client patches, APs are irrelevant!!!
 
Jeroen1000
Member Candidate
Member Candidate
Posts: 195
Joined: Fri Feb 18, 2011 2:05 pm

Re: RouterOS NOT affected by WPA2 vulnerabilities

Wed Oct 18, 2017 7:33 pm

You can fix the 4-way handshake issue either at the client side or at the Access Point side. ... So it's good practice to also fix it at the AP side:-).
Wrong!!! KRACK is a pure client-side attack. Patching AP will give you nothing.
It's not wrong, however, I understand your interpretation. You cannot prevent the attack (on the clients) by patching the AP. If you can get an unpatched client to connect to the attackers rogue AP, the attack remains possible. However, can fix the handshake vulnerability at the AP even if the client is not patched. It's good pratice to do that. So a vulnerable client will not make a vulnerable handshake if an AP is patched. I hope this clarification makes sense.
 
tstoddard
just joined
Posts: 1
Joined: Wed Oct 18, 2017 8:21 pm

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Wed Oct 18, 2017 8:28 pm

I notice that the NV2 is not affected. My questions is if the tower is NV2 but WDS is turned on and client is using WDS are they affected?
 
andriys
Forum Guru
Forum Guru
Posts: 1051
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: RouterOS NOT affected by WPA2 vulnerabilities

Wed Oct 18, 2017 8:34 pm

If you can get an unpatched client to connect to the attackers rogue AP, the attack remains possible. However, can fix the handshake vulnerability at the AP even if the client is not patched. It's good pratice to do that. So a vulnerable client will not make a vulnerable handshake if an AP is patched.
You don't appear to understand how these attacks work; and you comments are misleading at best. Please stop that!
 
lazdins
just joined
Posts: 2
Joined: Wed Oct 18, 2017 8:58 pm
Location: Riga, Latvia
Contact:

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Wed Oct 18, 2017 9:28 pm

Hello guys!

Just want to have approval - is the SXTsq Lite5 model firmware secure against the latest WPA2 vulnerability?

Regards
 
JoseCarrion
just joined
Posts: 12
Joined: Thu Jan 14, 2010 4:24 pm

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Wed Oct 18, 2017 10:42 pm

Hello guys!

Just want to have approval - is the SXTsq Lite5 model firmware secure against the latest WPA2 vulnerability?

Regards
Hi,
just ensure your RouterOS version is at least equal or above 6.39.3 in bugfix channel, 6.40.4 in current channel or 6.41rc if you use the release candidate channel.
Check it through System->Packages and upgrade as necessary.
 
lazdins
just joined
Posts: 2
Joined: Wed Oct 18, 2017 8:58 pm
Location: Riga, Latvia
Contact:

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Thu Oct 19, 2017 12:57 am

Thanks for the answers - I will check tose RouterOS versions and update them accordingly!
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 541
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Thu Oct 19, 2017 12:09 pm

Thanks for fast fix and clear informations, well done!
 
User avatar
dasiu
Trainer
Trainer
Posts: 232
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK
Contact:

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Thu Oct 19, 2017 12:31 pm

MikroTik Team, short question:
If I have a wireless link on 802.11 protocol using Management Protection - can it be vulnerable to the attacks (before the upgrade)? Or does Management Protection already solve the problem (by not allowing the client, if Management Protection is "required", to connect to a "fake" AP not using it)?
 
andriys
Forum Guru
Forum Guru
Posts: 1051
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Thu Oct 19, 2017 12:40 pm

Or does Management Protection already solve the problem (by not allowing the client, if Management Protection is "required", to connect to a "fake" AP not using it)?
According to the documentation, the management frame protection has nothing to do with the initial 4-way handshake, and thus does not protect you from the aforementioned attacks. Also please note that this attacks do not require wireless clients to connect to a "fake" AP- this "fake" AP just listens and sends you some additional packets while you are still connected to the "real" AP.
 
Jeroen1000
Member Candidate
Member Candidate
Posts: 195
Joined: Fri Feb 18, 2011 2:05 pm

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Thu Oct 19, 2017 5:49 pm

Hi Andriys

Please be constructive instead of just shouting at me. Not looking for an online fight.
What do you mean by your last post?
Also please note that this attacks do not require wireless clients to connect to a "fake" AP- this "fake" AP just listens and sends you some additional packets while you are still connected to the "real" AP
The demo from the researcher clearly indicates a man-in-the-middle attack. It is shown in the video on his website around 1:54 https://youtu.be/Oh4WURZoR98
Hence, the client does connect to the malicious AP. You seem to claim the client does not need to connect to the fake AP?
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 246
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: RouterOS NOT affected by WPA2 vulnerabilities

Thu Oct 19, 2017 6:08 pm

You can fix the 4-way handshake issue either at the client side or at the Access Point side. ... So it's good practice to also fix it at the AP side:-).
Wrong!!! KRACK is a pure client-side attack. Patching AP will give you nothing.
Worse!!! Patching AP will just give some people false sense of security when in fact every client on the WiFi network is vulnerable, Android the most but also every other client WPA implementation regardless, and that could allow an attacker to make a havoc in your network ... so look for client patches, APs are irrelevant!!!
Patching ap is viable if ap is used as a client (station mode) and has some or all software errors that where reported. But in all sence you are right ALL CLIENTS SHOULD UPGRADE and AP that is used as a CLIENT may or may not be needing updates as well. Microsoft and Apple in their latest updates all ready patched. But Linux and Android where following rfc to the point and where therefore hit hard this time. And we all know how well fragmented the android market is.... Many perhaps will not even get an update.... Game over in that case.
 
bratislav
newbie
Posts: 49
Joined: Mon May 05, 2014 10:36 am

Re: RouterOS NOT affected by WPA2 vulnerabilities

Thu Oct 19, 2017 6:58 pm

You can fix the 4-way handshake issue either at the client side or at the Access Point side. ... So it's good practice to also fix it at the AP side:-).
Wrong!!! KRACK is a pure client-side attack. Patching AP will give you nothing.
Worse!!! Patching AP will just give some people false sense of security when in fact every client on the WiFi network is vulnerable, Android the most but also every other client WPA implementation regardless, and that could allow an attacker to make a havoc in your network ... so look for client patches, APs are irrelevant!!!
Patching ap is viable if ap is used as a client (station mode) and has some or all software errors that where reported. But in all sence you are right ALL CLIENTS SHOULD UPGRADE and AP that is used as a CLIENT may or may not be needing updates as well. Microsoft and Apple in their latest updates all ready patched. But Linux and Android where following rfc to the point and where therefore hit hard this time. And we all know how well fragmented the android market is.... Many perhaps will not even get an update.... Game over in that case.
Well I did say CLIENT implementation is vulnerable ...
Although APs implementing 802.11r are also affected by CVE-2017-13082 and should be patched ... but Mikrotik does not support it as far as I know ...
 
andriys
Forum Guru
Forum Guru
Posts: 1051
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities

Thu Oct 19, 2017 10:27 pm

The demo from the researcher clearly indicates a man-in-the-middle attack. It is shown in the video on his website around 1:54 https://youtu.be/Oh4WURZoR98
Hence, the client does connect to the malicious AP. You seem to claim the client does not need to connect to the fake AP?
You should have also read the detailed description of the attack, and not just watch the demonstration video. Now to your points. Yes, it is an MiTM type of attack (researchers called it channel-based MiTM attack). No, the victim does not connect to the rogue AP (and no attempt is made to trick it to connect to the rogue AP at the beginning). Instead, it is tricked to switch to the rogue AP once the connection with the real AP is established. And no, there's nothing the real AP can do to prevent this.

Who is online

Users browsing this forum: No registered users and 5 guests