Hi,
are you aware of the latest security issue with wpa2 called "KRACK":
https://www.theregister.co.uk/2017/10/16/wpa2_inscure_krackattack/
At least Aruba and Ubiquiti already have some patch for this issue, what about Fortinet?
Is this relevant for FortiAP and also FortiWifi?
Regards
Dominik
NSE 4/5/7
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As I read the PSIRT Advisory, only a FortiAP used in mesh leaf mode... and FortiWifi models being used in client mode (meaning the AP in the FortiGate is a WiFi client of another AP... acting like a mesh leaf).
I've seen nothing on FortiWLC. Considering any AP on a FortiWLC is a FortiAP, it seems all is good... but again, no confirmation on that. The PSIRT should have included FortiWLC if there was an issue.
I'll try to get more details from inside sources.
Norris Carden
Fortinet XTreme Team USA (2015, 2016)
CISSP (2005), CISA (2007), NSE4 (2016)
Duplicate post... sorry...
Norris Carden
Fortinet XTreme Team USA (2015, 2016)
CISSP (2005), CISA (2007), NSE4 (2016)
How about Meru Networks APs/WLC?
We are an old Meru Network shop using AP 832i, some Meru Controllers (MC1550) and some Forti Controllers (500D) running FortiWLC images (knows as System Director).
Has anyone heard anything from these yet?
Thanks,
no nothing yet,
I have a ticket open about FortiWLC and AP832, the ticket is in "researching".
We just bought a couple of controllers and 80 AP832i´s.
I will post here when I receive feedback.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
I am ok in my side. See below response from Fortinet for Legacy Meru devices:
How is Fortinet Controller based solution affected with CVEs disclosed in KRACK attacks: Our primary enterprise solution uses single channel and virtual cell architecture, and is not affected by the CVEs part of KRACK attacks.
The only configuration affected are the following: Feature
(1) Non virtual cell configuration with 11r enabled
(2) APs operating in Mesh mode
(3) APs having Service assurance module enabled
Applicable SD versions
(1) 8.0/8.1/8.2/8.3, and only with 11ac and wave2 APs
(2) 6.x/7.0/8.0/8.1/8.2/8.3
(3) 6.x/7.0/8.0/8.1/8.2/8.3
Immediate recommendation
(1) Disable 11r
(2,3) Disable SAM, until patch available
Patches to be made available on top of SD versions
(1) 8.3.3, 8.2.7 (2) 8.3.3, 8.2.7, 7.0.11 (3) 8.3.3, 8.2.7, 7.0.11
What about the 5.4.x branch?
We are also waiting for this updated firmware for a 221B!
The vulnerability indicates it is a WPA2 general vulnerability affecting the reuse of the nonce on one side of the session key exchange so it should affect any WPA2 implementation, does that sound correct?
Served 1,000,000 burgers
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.