Hotfixes for the affected products will be made available on supported streams as they become available, starting on October 20, 2017. Here's more information on How to Download Firmware Files for Extreme Networks Products
Extreme Networks is offering a free, one-time download for ExtremeWireless and ExtremeWireless WiNG customers that are without a paid maintenance contract. This one-time download provides access to an updated firmware release, but does not
include additional warranty or support from Extreme Networks without a paid support contract. The firmware is available on currently supported access point and controller models only. This one-time download is available at the following link:https://learn.extremenetworks.com/Wi-Fi-Vulnerability-Firmware-Download-oct2017_LP.html
A defense in depth posture with multiple levels of protection is the strongest mechanism to reduce security risks for most organizations. The following mitigation techniques can reduce the risk of these attacks:
- Use Extreme ADSP or ExtremeWireless Radar to reduce the risk of man-in-the-middle attacks, a pre-cursor to this attack.
- Disable 802.11r until a hotfix has been released
a. 802.11r is disabled by default in ExtremeWireless(TM), ExtremeWireless(TM) WiNG and 9100 Series products.
- Use application layer encryption, SSL, or VPN to provide an extra layer of protection for critical communications and/or data.
- Patch client devices
a. This is the weakest link and most difficult to address due to the large, uncontrolled number of client devices.
A common form of the KRACK WPA/ WPA2 attack originates as a man-in-the-middle (MitM) attack. ADSP customers are advised to keep a close eye on the following alarms, as potential indicators of the attack:
- AP Impersonation detected
- ID Theft – Out of sequence
- ID Theft – Vendor IE missing
- Honeypot AP detected
- Multipot attack detected
If any of the above alarms are triggered, check for transmissions from the device on a non-operating channel. A symptom of the attack is overlapping/intermixed packet transmissions from two devices with identical MAC addresses and identical SSIDs; but operating on two different channels within a close time interval – with one device on an operating channel (the device under attack). Forensics can be used to look for this information. If the attack is in progress, Liveview can also be used.
As an enhancement, ADSP is evaluating addition of new signatures to more directly identify the attack as a KRACK WPA/WPA2 attack.