How does WatchGuard Wi-Fi Cloud protect my wireless network from the recently announced KRACK WPA/WPA2 vulnerabilities?
(CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Vulnerabilities have been discovered in how clients and APs implement state machines in software for WPA/WPA2 temporal key generation and transportation handshakes. The vulnerabilities can be exploited by manipulating certain handshake messages over the air. The exploit results in the reuse of some packet numbers when handshakes are performed. For more information, see: KRACK WPA and WPA2 Wireless Vulnerabilities.
These vulnerabilities occur in both AP software and client software implementations. WatchGuard has addressed these vulnerabilities for Wi-Fi Cloud and AP software in version 8.3.0-657 released on October 15th, 2017.
Vulnerabilities for clients must be addressed by updating the client OS software to a version that includes fixes to address these vulnerabilities. Until all clients are updated, WatchGuard Wi-Fi Cloud APs can mitigate these client vulnerabilities by blocking handshake messages that can potentially exploit clients.
In version 8.3.0-657 and higher, you can enable the Mitigate WPA/WPA2 key reinstallation vulnerabilities option for WPA2 and WPA/WPA2 mixed mode security settings in an SSID Profile to activate this handshake blocking and force clients to reauthenticate. This re-authentication typically does not require the user to re-enter credentials, but it may add a few seconds to the connection time of the client. This option is disabled by default. This mitigation logic can trigger for other similar dropped packet symptoms, for example, natural frame errors during a handshake, or dropped packets when a client roams from one AP to another or roams beyond the range of the current AP connection. This can result in some client authentication connections to fail and be reestablished. WatchGuard recommends you enable this mitigation feature until you have updated all your client software to address the client vulnerabilities, and evaluate the impact to your client environment and user experience.
Enable WPA/WPA2 Vulnerability Mitigation in Wi-Fi CloudTo enable WPA/WPA2 vulnerability mitigation for an SSID in Wi-Fi Cloud:
WIPS Mitigation of KRACK VulnerabilitiesWatchGuard Wi-Fi Cloud WIPS (Wireless Intrusion Prevention System) with dedicated WIPS sensors (not background scanning) provide zero-day protection against these vulnerabilities if the MAC Spoofing option is enabled in your Intrusion Prevention configuration and prevention is enabled. WIPS will actively block the exploit until you upgrade all your APs and clients.
About Third-Party APsThis configuration also protects non-WatchGuard third-party APs whether they have or have not been patched for the vulnerabilities. If your third-party APs have not been patched for the KRACK vulnerabilities, we recommend you also disable the use of 802.11r (Fast Roaming) on these APs.
To enable WPA/WPA2 vulnerability mitigation in WIPS:
If this is your first time using WIPS, we recommend you disable all other prevention options.