How does WatchGuard Wi-Fi Cloud protect my wireless network from the recently announced KRACK WPA/WPA2 vulnerabilities?

(CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)

Vulnerabilities have been discovered in how clients and APs implement state machines in software for WPA/WPA2 temporal key generation and transportation handshakes. The vulnerabilities can be exploited by manipulating certain handshake messages over the air. The exploit results in the reuse of some packet numbers when handshakes are performed. For more information, see: KRACK WPA and WPA2 Wireless Vulnerabilities.

These vulnerabilities occur in both AP software and client software implementations. WatchGuard has addressed these vulnerabilities for Wi-Fi Cloud and AP software in version 8.3.0-657 released on October 15th, 2017.

Vulnerabilities for clients must be addressed by updating the client OS software to a version that includes fixes to address these vulnerabilities. Until all clients are updated, WatchGuard Wi-Fi Cloud APs can mitigate these client vulnerabilities by blocking handshake messages that can potentially exploit clients.

In version 8.3.0-657 and higher, you can enable the Mitigate WPA/WPA2 key reinstallation vulnerabilities option for WPA2 and WPA/WPA2 mixed mode security settings in an SSID Profile to activate this handshake blocking and force clients to reauthenticate. This re-authentication typically does not require the user to re-enter credentials, but it may add a few seconds to the connection time of the client. This option is disabled by default. This mitigation logic can trigger for other similar dropped packet symptoms, for example, natural frame errors during a handshake, or dropped packets when a client roams from one AP to another or roams beyond the range of the current AP connection. This can result in some client authentication connections to fail and be reestablished. WatchGuard recommends you enable this mitigation feature until you have updated all your client software to address the client vulnerabilities, and evaluate the impact to your client environment and user experience.

Enable WPA/WPA2 Vulnerability Mitigation in Wi-Fi Cloud

To enable WPA/WPA2 vulnerability mitigation for an SSID in Wi-Fi Cloud:

1. Log in to WatchGuard Wi-Fi Cloud.
2. Open Manage.
3. Select Configuration > Device Configuration > SSID Profiles.
4. Select an SSID Profile or create a new SSID Profile.
5. Expand the Security section.
6. When WPA2 or WPA and WPA2 mixed mode is selected as the Security Mode, the mitigation option check box appears.
7. Select the Mitigate WPA/WPA2 key reinstallation vulnerability check box.
8. Save the SSID Profile.

WIPS Mitigation of KRACK Vulnerabilities

WatchGuard Wi-Fi Cloud WIPS (Wireless Intrusion Prevention System) with dedicated WIPS sensors (not background scanning) provide zero-day protection against these vulnerabilities if the MAC Spoofing option is enabled in your Intrusion Prevention configuration and prevention is enabled. WIPS will actively block the exploit until you upgrade all your APs and clients.

About Third-Party APs

This configuration also protects non-WatchGuard third-party APs whether they have or have not been patched for the vulnerabilities. If your third-party APs have not been patched for the KRACK vulnerabilities, we recommend you also disable the use of 802.11r (Fast Roaming) on these APs.

WIPS Configuration

• This configuration requires full-time WIPS sensors on your network (One sensor for every 3 APs)
• If this is your first time using WIPS, we recommend you disable all other WIPS options in your Intrusion Prevention policy except for the MAC Spoofing option
• Before you activate Intrusion Prevention, make sure your wireless network is deployed and stable, and APs are correctly categorized (Authorized, External, Rogue)

For more information on getting started with WIPS, see About WIPS Configuration in the Wi-Fi Cloud Help.

To enable WPA/WPA2 vulnerability mitigation in WIPS:

1. Log in to WatchGuard Wi-Fi Cloud.
2. Open Manage.
3. Select the location where the Intrusion Prevention policy will be applied (automatically inherited by child locations).
4. Select Configuration > WIPS > Intrusion Prevention.
5. In the Threat Prevention section, select the MAC Spoofing check box.

6. Save the Intrusion Prevention configuration.
7. In Manage, select Configuration > WIPS > Intrusion Prevention Activation.
8. Select the location where the Intrusion Prevention policy will be activated (activation is location-specific).
9. Select the Activate Intrusion Prevention for Location 'Location' check box.
10. Click Save.