Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6663
Views
15
Helpful
16
Replies

WPA2 vulnerability

Go to solution
pavan.pawar
Level 1
Level 1

‎10-17-2017 11:03 PM - edited ‎03-20-2019 09:38 PM

I have received notification from Security about below Cisco WPA2 vulnerability and many of cisco Access-Point are affected due to this vulnerability but they have suggested software upgradation on Cisco WLC

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

 

currently i have 3600 and 3700 AP and 8.0.140 software version running on WLC.

In above link they have not given that 8.0.140 os affected due WPA2 vulnerability ,

 

So Do i need to add software patch on my WLC. Please suggest.

Many thanks in Advance.

 

Regards,

Pavan Pawar

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to pavan.pawar

‎10-17-2017 11:28 PM

@pavan.pawar wrote:

am still confused here because they have not mentioned that 8.0.x version is affected.

Do i need to upgrade WLC ? 

8.0.X.X is vulnerable otherwise Cisco wouldn't divert resources to publish a fix.

This vulnerability affects anything with a wireless NIC.  It's not just wireless AP but also wireless clients as well.  Patching the client will fix 9 out of 10 vulnerabilities but not CVE-2017-13082.

Perspective About the Recent WPA Vulnerabilities (KRACK Attacks)

 

View solution in original post

16 Replies 16

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎10-17-2017 11:16 PM - edited ‎10-20-2017 04:15 PM

 

KRACK.png 

APs are running firmware which are vulnerable.  Above is the official date of release of the fixes.

0 Helpful

Go to solution
pavan.pawar
Level 1
Level 1
In response to Leo Laohoo

‎10-17-2017 11:25 PM

am still confused here because they have not mentioned that 8.0.x version is affected.

 

Do i need to upgrade WLC ? 

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to pavan.pawar

‎10-17-2017 11:28 PM

@pavan.pawar wrote:

am still confused here because they have not mentioned that 8.0.x version is affected.

Do i need to upgrade WLC ? 

8.0.X.X is vulnerable otherwise Cisco wouldn't divert resources to publish a fix.

This vulnerability affects anything with a wireless NIC.  It's not just wireless AP but also wireless clients as well.  Patching the client will fix 9 out of 10 vulnerabilities but not CVE-2017-13082.

Perspective About the Recent WPA Vulnerabilities (KRACK Attacks)

 

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to pavan.pawar

‎10-17-2017 11:28 PM

For some of the bugs 8.0 is also affected, first fixed release is 8.0.15x.0: ETA October 19th, 2017. See bug ID: CSCvf47808


0 Helpful

Go to solution
richar_f
Level 1
Level 1
In response to Leo Laohoo

‎12-08-2017 05:28 AM

What are the options, please, for customers using Mobility Express on a 1852i for instance, and without a contract to download the patched version ? There should be a go-to version of 8.5 for instance that people would be able to download to fix this vulnerability. Is that available somewhere ? Thank you.

0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to richar_f

‎12-08-2017 05:31 AM

There is an email address in the advisory where you can request the software in such a case.


0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to richar_f

‎12-08-2017 03:33 PM

@richar_f wrote:

What are the options, please, for customers using Mobility Express on a 1852i for instance, and without a contract to download the patched version ? There should be a go-to version of 8.5 for instance that people would be able to download to fix this vulnerability. Is that available somewhere ? Thank you.

Read my post above.  

Carefully read the Cisco Security Advisory called "Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II" and scroll down to the  "Customers Without Service Contracts" section.  Read very, very carefully the first two paragraphs with emphasis on the second paragraph. 

Hope this helps. 

Please don't forget to rate our useful posts.

0 Helpful

Go to solution
pavan.pawar
Level 1
Level 1

‎10-17-2017 11:33 PM

Many thanks 

 

Cheers..

Pavan P

0 Helpful

Go to solution
ivanchakarov
Level 1
Level 1

‎10-18-2017 01:39 AM

What about the clients that are using older software - 7.4 for example?
0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to ivanchakarov

‎10-18-2017 02:08 AM

@ivanchakarov wrote:
What about the clients that are using older software - 7.4 for example?

7.4.X.X is already end-of-support.  So no fixes for that version.  

Go to solution
pavan.pawar
Level 1
Level 1
In response to Leo Laohoo

‎10-19-2017 02:21 AM

Group key (GTK) reinstallation when processing a Wireless Network Management (WNM) Sleep Mode Response frame

A vulnerability in the processing of the 802.11v (Wireless Network Management) Sleep Mode Response frames could allow an unauthenticated, adjacent attacker to force a supplicant that is compliant with the 802.11v standard to reinstall a previously used group key.

The vulnerability is due to ambiguities in the processing of associated protocol messages. An attacker could exploit this vulnerability by passively eavesdropping and retransmitting previously used WNM Sleep Mode Response frames.

This vulnerability has been assigned the following CVE ID: CVE-2017-13087

 

can you suggest on above vulnerability ..

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to pavan.pawar

‎10-19-2017 03:09 AM - edited ‎10-20-2017 04:43 PM

@pavan.pawar wrote:

can you suggest on above vulnerability ..

I don't understand the question.  

Cisco is going to publish the software fix on 23 October 2017.  

I just want to repeat this over and over again:  Cisco's software fix is only going to fix one of ten vulnerabilities.  Patching the client will fix 9 of the 10.  

0 Helpful

Go to solution
henrikb
Level 1
Level 1
In response to Leo Laohoo

‎10-19-2017 04:40 AM

what about the boot version ?

 
15.3(3)JD7 should be a fixed to
 
But do we need to upgrade both the software version and boot version?
Or are you home free with the software version? Is it when you run standalone AP's you need the boot version to be at least 15.3(3)JD7?
0 Helpful
Customers Also Viewed These Support Documents