Note: Please upgrade to firmware Version 0.1.11888 or later, which includes the fix to address this issue.
What is this vulnerability?
This is a security vulnerability for wireless networks that was publicly announced on October 16th, and impacts WPA2 networks as per VU#228519: https://www.kb.cert.org/vuls/id/228519.
“Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. (1)“ This vulnerability is also referred to as KRACK ( Key Reinstallation Attack).
Impact of this vulnerability?
This vulnerability impacts Mist APs configured for 802.11r to enable Fast secure roaming. This vulnerability has been listed as CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it.
Mist will be releasing a firmware update shortly to resolve this for networks leveraging the 802.11r configuration on the Infrastructure side.
What action is needed to address this vulnerability?
Please upgrade to firmware Version 0.1.11888 or later, which includes the fix to address this issue.
Who can I contact for more information?
Please reach out to support@mist.com for any questions or concerns.
Sources:
1. https://www.kb.cert.org/vuls/id/228519/
2. https://www.us-cert.gov/ncas/current-activity/2017/10/16/CERTCC-Reports-WPA2-Vulnerabilities
3. https://www.krackattacks.com/