WatchGuard Support Center

Knowledge Base - Article

Article

000011090
 Gateway Wireless Controller and the KRACK WPA/WPA2 wireless vulnerabilities

Information
How does the Gateway Wireless Controller on my Firebox protect my wireless network from the recently announced KRACK WPA/WPA2 vulnerabilities?

(CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Vulnerabilities have been discovered in how clients and APs implement state machines in software for WPA/WPA2 temporal key generation and transportation handshakes. The vulnerabilities can be exploited by manipulating certain handshake messages over the air. The exploit results in the reuse of some packet numbers when handshakes are performed. For more information, see: KRACK WPA and WPA2 Wireless Vulnerabilities.

These vulnerabilities occur in both AP software and client software implementations. WatchGuard has addressed these vulnerabilities for the Gateway Wireless Controller and APs in Fireware v12.0.1 and the following AP firmware versions released on October 30th, 2017.
  • AP120, AP320, AP322, AP420: 8.3.0-657
  • AP325: 8.5.0-646
  • AP100, AP102, AP200: 1.2.9.14
  • AP300: 2.0.0.9
Vulnerabilities for clients must be addressed by updating the client OS software to a version that includes fixes to address these vulnerabilities. Until all clients are updated, Gateway Wireless Controller managed APs can mitigate these client vulnerabilities by blocking handshake messages that can potentially exploit clients.

In Fireware v12.0.1, you can enable the Mitigate WPA/WPA2 key reinstallation vulnerabilities in clients option for WPA2 and WPA/WPA2 mixed mode security settings in the SSID settings to activate this handshake blocking and force clients to reauthenticate. This re-authentication typically does not require the user to re-enter credentials, but it may add a few seconds to the connection time of the client. This option is disabled by default. This mitigation logic can trigger for other similar dropped packet symptoms, for example, natural frame errors during a handshake, or dropped packets when a client roams from one AP to another or roams beyond the range of the current AP connection. This can result in some client authentication connections to fail and be reestablished. WatchGuard recommends you enable this mitigation feature until you have updated all your client software to address the client vulnerabilities, and evaluate the impact to your client environment and user experience.

Enable WPA/WPA2 Vulnerability Mitigation in the Gateway Wireless Controller

To enable WPA/WPA2 vulnerability mitigation for an SSID in the Gateway Wireless Controller:
  1. Log in to your Firebox that runs the Gateway Wireless Controller.
  2. Select Network > Gateway Wireless Controller.
  3. Select the SSIDs tab.
  4. Edit the SSID.
  5. In the Settings tab, select the Mitigate WPA/WPA2 key reinstallation vulnerability in clients check box.
  6. Click Save.

About Wi-Fi Cloud and WIPS

If you upgrade your APs to Wi-Fi Cloud, you can provide additional protection for your wireless network with WIPS (Wireless Intrusion Prevention System).

WatchGuard Wi-Fi Cloud WIPS with dedicated WIPS sensors provide zero-day protection against these vulnerabilities if the MAC Spoofing option is enabled in your Intrusion Prevention configuration and prevention is enabled. WIPS will actively block the exploit until you upgrade all your APs and clients.

For more information on WatchGuard Wi-Fi Cloud, see the WatchGuard web site.