Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bommi
Contributor III

WPA2 security issue "KRACK"

Hi,

 

are you aware of the latest security issue with wpa2 called "KRACK":

https://www.theregister.co.uk/2017/10/16/wpa2_inscure_krackattack/

 

At least Aruba and Ubiquiti already have some patch for this issue, what about Fortinet?

Is this relevant for FortiAP and also FortiWifi?

 

Regards

Dominik

NSE 4/5/7

NSE 4/5/7
16 REPLIES 16
CyberNorris

As I read the PSIRT Advisory, only a FortiAP used in mesh leaf mode... and FortiWifi models being used in client mode (meaning the AP in the FortiGate is a WiFi client of another AP... acting like a mesh leaf).

 

I've seen nothing on FortiWLC. Considering any AP on a FortiWLC is a FortiAP, it seems all is good... but again, no confirmation on that. The PSIRT should have included FortiWLC if there was an issue.

 

I'll try to get more details from inside sources.

Norris Carden

Fortinet XTreme Team USA (2015, 2016)

CISSP (2005), CISA (2007), NSE4 (2016)

Norris Carden Fortinet XTreme Team USA (2015, 2016) CISSP (2005), CISA (2007), NSE4 (2016)
CyberNorris

Duplicate post... sorry...

Norris Carden

Fortinet XTreme Team USA (2015, 2016)

CISSP (2005), CISA (2007), NSE4 (2016)

Norris Carden Fortinet XTreme Team USA (2015, 2016) CISSP (2005), CISA (2007), NSE4 (2016)
andresp

How about Meru Networks APs/WLC?

 

We are an old Meru Network shop using AP 832i, some Meru Controllers (MC1550) and some Forti Controllers (500D) running FortiWLC images (knows as System Director).

 

Has anyone heard anything from these yet?

 

Thanks,

Carl_Wallmark

no nothing yet,

 

I have a ticket open about FortiWLC and AP832, the ticket is in "researching".

We just bought a couple of controllers and 80 AP832i´s.

I will post here when I receive feedback.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
andresp

I am ok in my side. See below response from Fortinet for Legacy Meru devices:

 

How is Fortinet Controller based solution affected with CVEs disclosed in KRACK attacks: Our primary enterprise solution uses single channel and virtual cell architecture, and is not affected by the CVEs part of KRACK attacks.

 

The only configuration affected are the following: Feature

(1) Non virtual cell configuration with 11r enabled

(2) APs operating in Mesh mode

(3) APs having Service assurance module enabled

Applicable SD versions

(1) 8.0/8.1/8.2/8.3, and only with 11ac and wave2 APs

(2) 6.x/7.0/8.0/8.1/8.2/8.3

(3) 6.x/7.0/8.0/8.1/8.2/8.3

Immediate recommendation

(1) Disable 11r

(2,3) Disable SAM, until patch available

 

Patches to be made available on top of SD versions

(1) 8.3.3, 8.2.7 (2) 8.3.3, 8.2.7, 7.0.11 (3) 8.3.3, 8.2.7, 7.0.11  

Kommissar
New Contributor

What about the 5.4.x branch?

itsupport7

We are also waiting for this updated firmware for a 221B!

 

The vulnerability indicates it is a WPA2 general vulnerability affecting the reuse of the nonce on one side of the session key exchange so it should affect any WPA2 implementation, does that sound correct?

Served 1,000,000 burgers

Served 1,000,000 burgers
Top Kudoed Authors