Jump to content
Dido

flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping?

Recommended Posts

Hopefully EnGenius has a patch already. Other AP manufacturers knew about this vulnerability before the announcement. 

Looking forward to hearing from EnGenius. 

Share this post


Link to post
Share on other sites

I am also looking forward to hearing from them about how they plan to address this issue. If they do not respond, may need to move to a different vendor for our wifi solution.

Share this post


Link to post
Share on other sites
11 minutes ago, Guy Guckenberger said:

I just spoke with a gentleman in support and he didn't know anything about the vulnerability! I explained it to him and he said there would be a patch when they were notified of the problem. 

Well isn't that reassuring.

Share this post


Link to post
Share on other sites

Guy Guckenberger,

it seems you didn't *notify* them!?
In any case. it *is* good news to know that they have a patch available, sitting there until they will be notified of the flaw.
"It could be worse. It could be raining."

 

Share this post


Link to post
Share on other sites

So no response from Engenius on KRACK attack yet? They should have been addressing this before it went public. 

Share this post


Link to post
Share on other sites
4 hours ago, Weehooey said:

Hopefully EnGenius has a patch already. Other AP manufacturers knew about this vulnerability before the announcement. 

Looking forward to hearing from EnGenius. 

Yep, Mikrotik has patched their products in advance:

https://forum.mikrotik.com/viewtopic.php?f=21&p=623435 :

"On October 16. CERT/CC/ICASI released a public announcement about discovered vulnerabilities in WPA2 handshake protocols that affect most WiFi users and all vendors world wide. 
RouterOS v6.39.3, v6.40.4, v6.41rc are not affected!
It is important to note that the vulnerability is discovered in the protocol itself, so even a correct implementation is affected. 
These organizations did contact us earlier, so we have already released fixed versions that address the outlined issues. Not all of the discovered vulnerabilities directly impact RouterOS users, or even apply to RouterOS, but we did follow all recommendations and improved the key exchange process according to the guidelines we received from the organizations who discovered the issue. 
We released fixed versions last week, so if you upgrade your devices routinely, no further action is required."

 

I'm really impressed that company claiming to be in "complex business network" class is not aware of coming security issues.

And according https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4 , EnGenius is not affected .... 

 

Share this post


Link to post
Share on other sites
7 minutes ago, udippel said:

Dido, where on that page do you see Engenius? I don't ....

Does 'no show' mean 'unaffected'?

Yes, in kb.cert.org EnGenius is not mentioned as affected vendor, which is strange as this is WPA2 protocol issue. I don't know is it affected and how is build list of vendors on cert.org.

Let's hope for the best... And that someone from EnGenius will provide more information.

Share this post


Link to post
Share on other sites

so, spent a few minutes and found;

Original Release date: 16 Oct 2017 | Last revised: 16 Oct 2017

https://www.kb.cert.org/vuls/id/228519/

Engenius and Senao are both missing from this limited list

https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

another easy to read info page, I like this one better than the others

http://blog.erratasec.com/2017/10/some-notes-on-krack-attack.html

Share this post


Link to post
Share on other sites

This is a pretty big deal.

I would expect to see some sort of public statement that Engenius's products are either 1) affected and will be patched very soon; or 2) unaffected and customers can rest assured that everything is fine.

This will determine whether I switch to another vendor or not - I'm not going to willfully leave my customers' data at risk when other vendors have been proactive in releasing updates (the vulnerability was responsibly disclosed for hardware and software vendors to fix well in advance of the 10/16 public announcement).

Share this post


Link to post
Share on other sites

Just received the following e-mail from EnGenius-

Below is a statement from our Field Application Engineer (FAE) on the KRACK exploit:

 

How this Vulnerability Impacts EnGenius Products and Networks

--------------------------------------------------------------------------------------

As the issue occurs on client devices, the first step for any network operator is to check with your client device manufacturers for security patches and updates and apply these updates as soon as they are available.

 

EnGenius software developers are currently actively investigating the impact of this vulnerability across all of the products in our product portfolio, and will be issuing firmware releases in the coming days and weeks to address this issue.  In the interim, EnGenius still recommends the continued use of WPA2-AES Personal or WPA2-AES Enterprise for network security.  Do not use WEP and do not use WPA-TKIP, as the vulnerabilities of those deprecated security protocols are significantly more serious and easier to execute by a malicious attacker.

 

Share this post


Link to post
Share on other sites

convincing, re1master, is different.

The vulnerability had been communicated to the manufacturers as early as July. Others have 'investigated' the impact, and others have since long provided a workaround for this protocol flaw. 
In this sense, Engenius has shown contempt to its customers by starting to investigate the vulnerability - as mentioned above - not earlier than its public discussion. 

Share this post


Link to post
Share on other sites
3 hours ago, udippel said:

convincing, re1master, is different.

The vulnerability had been communicated to the manufacturers as early as July. Others have 'investigated' the impact, and others have since long provided a workaround for this protocol flaw. 
In this sense, Engenius has shown contempt to its customers by starting to investigate the vulnerability - as mentioned above - not earlier than its public discussion. 

Yea, wasn't happy with their response. Just completed 20+ orders to replace EnGenius and other vendors with ones that have already pushed out patches.

Share this post


Link to post
Share on other sites

It's been quite a long time that most Engenious routers have had firmware fixes for the KRACK vulnerability. 

However a short list of AP, which are listed as "affected" remain with the patch "pending".

This includes the EAP1750H that I have.

Why has it been months for these few remaining affected routers that no patch is available?

Will there be one?

Share this post


Link to post
Share on other sites

I second your post. My products have been patched, but way too late.

Answers are not forthcoming, though I regularly receive ads from Engenius about fantastic new products. Totally cool! Tell you what: After this experience with this vulnerability I can guarantee that I won't source Engenius again. Ever. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

By using this site, you agree to our Terms of Use.