As you may have already heard, a new high-severity security vulnerability has been released publicly that is related to the WiFi Protected Access 2 Protocol (WPA2 Protocol). This newly discovered weakness could potentially allow an attacker to compromise an encrypted wireless session between a wireless client (PC/Smartphone) and the associated Wireless Access Point (AP). Once compromised, the attacking AP now acts as a "Man-in-the-Middle" and would be able to view packets between the wireless client and a remote endpoint as well as potentially inject malformed packets into the session.
To summarize, this is a vulnerability that hijacks a wireless user and not the wireless network. It’s also important to note that not only would the hijacker need to be in range of the end user's wireless, but they would also need knowledge of creating an exploit. With that said, this exploit covers a wide spectrum in the networking environment and everything wireless, from Access Points to Endpoints, should be patched as fixes are released. A detailed explanation on the vulnerability from the party responsible for the discovery can be found here.
Vendors are currently responding to this vulnerability in an understandably ad hoc fashion and more information expected to be coming from vendors in the coming days. Thus far, responses have been as follows:
- Microsoft has released a patch. Customers who apply the update, or have automatic updates enabled, will be protected. Customers are encouraged to turn on automatic updates to help ensure they are protected. The Windows updates released on October 10 protect customers from this latest exploit.
- Meraki has released a patch (emails note a fix for 802.11r ).
- Cisco has released a partial patch but is still analyzing affected products.
- Google/Pixel expects to release a patch on November 6.
- Android phone makers are currently working on patches.
- Apple has not yet disclosed if the newest version of IOS 11 includes a fix.
We have been in contact with Cisco’s Product Security Incident Response team, and are waiting for detail around patched software versions for both the Cisco and Meraki wireless product lines.
If you receive server and workstation patching services from SE, the Microsoft patch will be included in the monthly update. If you are an SE EventWatch, SE Monitoring, or SE Essentials customer, we will be reaching out to you with further information in the coming days regarding patching your wireless environment.
Updated Communication: October 23, 2017
Cisco and Meraki both have fixes available for the WPA2 vulnerability. We have identified our clients that utilize this equipment and are moving towards the execution phase of addressing the issue. Our priorities will focus on clients that subscribe to our SE Critical Care service with a higher priority on compliance-based industries such as medical, insurance, financial, retail, and government.
A Systems Engineering representative will be in touch to reinforce the process and partner with you on patching assistance and any involvement you may need. Meraki clients will go through a rotating client list of patching and scheduled reboots during off hours. This will require minor downtime and we ask that you work with us to provide that downtime to expedite the process, if possible.
Keep in mind patching the wireless only addresses the protection from the Access Point. Clients also need to be updated as patches become available. Our clients with managed patching (SE Essentials, SE Secure, and SE Monitoring) are in the process of scheduled rollouts now. We recommend all other users to self patch as fixes become available. The link below identifies the status of multiple hardware vendors and the status of each update.
Please note that the information in this advisory is not final yet, so please continue to revisit the page until there is a "final" version.
Questions? Call your Account Manager, or email firstname.lastname@example.org.