Skip to main content
Cisco Meraki Documentation

802.11r Vulnerability (CVE: 2017-13082) FAQ

Overview

On October 16th, 2017, ten new security vulnerabilities (referred as Key Reinstallation AttaCK or KRACK) were announced that target the session establishment and management process in WPA(1/2)-PSK and WPA(1/2)-Enterprise. Of the ten vulnerabilities, Meraki access points (AP) are only affected by one (CVE: 2017-13082). Our engineering team has already made the fix available as part of the latest available firmware (i.e. firmware versions MR 24.11 and MR 25.7) and will be included in all future firmware versions. For an overview of how Meraki helped its customers, please refer to our blog. For any additional information, please refer to this FAQ page.

 

This is the first time a security vulnerability has been found with the WPA key installation process since its introduction. The security vulnerability targets the 4-way Handshake, Group rekey Handshake, 802.11r Fast-BSS Transition(FT), and Peer-Key Handshake. Using these vulnerabilities an attacker can force a client or access point (AP) to reinstall the keys used to encrypt wireless data. Depending on targeted frames, either a client or an AP is affected as shown in the table below. The CVEs have been assigned based on the type of frames targeted.

Type of Attack

CVE IDs

Devices Impacted

4-way Handshake

2017-13077

Wi-Fi clients

Group-Key Handshake

2017-13078/2017-13079/2017-13080/2017-13081/2017-13087/2017-13088

Wi-Fi clients

802.11r Fast-BSS Transition(FT)

2017-13082

Access Points

Peer-Key Handshake

2017-13084/2017-13086

Wi-Fi clients

Using these vulnerabilities an attacker can either replay, decrypt or forge packets depending on the data integrity protocol used. The table below gives a summary of the type of attack and the direction of traffic flow that is affected.

  Data Integrity Protocol

Replay

Decrypt

Forge

 

4-way//Peer-Key Handshake
 

WPA1 (TKIP)

AP → Client

Client → AP

Client → AP

WPA2* (CCMP)

AP → Client

Client → AP

N/A

 

Group Key Handshake
 

WPA1 (TKIP) 

AP → Client

N/A

N/A

 WPA2* (CCMP) 

AP → Client

N/A

N/A

 

802.11r Fast-BSS Transition(FT)
 

 WPA1 (TKIP)

Client → AP

AP → Client

AP → Client

 WPA2* (CCMP)

Client → AP

AP → Client

N/A

*CCMP is the mandatory data integrity protocol in WPA2 but TKIP can be optionally supported.

Impact Assessment

To assess the impact on customers networks and SSIDs, our engineering team has added a page within the dashboard that shows the affected networks and SSIDs. The page can be accessed through the Help menu in the dashboard.

Additional Information

Where can I find the affected networks?

If any networks are affected, the list can be found under Help → 802.11r Vulnerability Impact. If no networks are affected, the page will show “You have no networks affected by 802.11r vulnerability”.

 

What is the potential impact of this vulnerability?

The vulnerability enables a malicious injection of data packets into communications between devices on the network. In effect, the security of the wireless network is compromised, and an attacker can replay, decrypt, or forge frames.

 

How can I upgrade my firmware to a patched version?

Customers can use the “Firmware Upgrade Tool” to schedule firmware upgrades.

 

Which firmware version do I need?

If you have MR33s/30Hs/74s deployed in your networks, please upgrade to firmware version MR 25.7 or later. All other networks should upgrade to version 24.11 or later for MR24.X releases only.

 

Why were details of the patch not previously communicated?

This vulnerability impacts most implementations of 802.11r fast roaming protocol, irrespective of vendor. Cisco (including Meraki) worked with other vendors and organizations such as ICASI, CERT and Wi-Fi Alliance to coordinate a responsible disclosure. The official disclosure date and time as decided by all parties was October 16, 2017 at 10 AM ET. 

 

How do I know my networks have been secured?

As networks are upgraded to MR 25.7 (or later) and MR 24.11 (or later for MR24.X releases only) you can check the “802.11r Vulnerability Impact” page in dashboard. Only networks that are affected will be shown on this page.

 

Can I use 802.11r after upgrading to the firmware version that includes the fix?

Yes, customers that are not using one of the models listed below can safely use 802.11r after upgrading to the firmware version that includes the fix.  

 

I currently use Adaptive 802.11r. Is my network vulnerable?

Yes, the vulnerability affects all versions of 802.11r including adaptive 802.11r. The feature can be used after upgrading to the firmware version that includes the fix.

 

Is the fix going to be available in future versions?

Yes, the security fix will be available in all future firmware releases including MR25.7 and MR24.11.

 

I currently don’t use 802.11r. How will I know in future if I accidentally enable 802.11r on an affected firmware?

Starting October 16, 2017, “Access Control” page will show a warning if customers try to enable 802.11r on an affected firmware version.

 

Are MX devices with wireless capabilities affected?

No. MX devices do not support 802.11r and are not affected by the 802.11r vulnerability.

 

If I upgrade to MR24.11/MR25.7, will I be protected from all 10 security vulnerabilities?

No, the fix protects devices from the 802.11r vulnerability. For all other vulnerabilities, as mentioned in the table above, the client is under attack and hence cannot be protected by the AP. 

 

Is Meraki Mesh affected by all 10 vulnerabilities?

No, Meraki mesh is not affected by these vulnerabilities.

 

Can APs detect if clients are affected by the remaining vulnerabilities?

No, it is not possible for Meraki APs to detect clients that are affected by remaining vulnerabilities.

 

Where can I find additional technical details about the vulnerability?

The link to the paper talking about the vulnerabilities in detail can be found on ICASI public disclosure link.

  • Was this article helpful?