DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vigor 2860 V3.8.5.1 (Krack fix)

More
17 Dec 2017 11:43 #7 by admin
Replied by admin on topic Re: Vigor 2860 V3.8.5.1 (Krack fix)
You can disable EAPOL retries, but it will affect authentication times in busy networks...and it's a only a local fix - the phone/laptop etc. would still be vulnerable elsewhere so not a solution.

Forum Administrator

Please Log in or Create an account to join the conversation.

  • hornbyp
  • Topic Author
  • User
  • User
More
17 Dec 2017 18:34 #8 by hornbyp
Replied by hornbyp on topic Re: Vigor 2860 V3.8.5.1 (Krack fix)
Well if you don't accept Draytek's analysis, try Cicso's :-

Workaround for CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, and CVE-2017-13081
Limiting the maximum number of Extensible Authentication Protocol (EAP) over LAN (EAPoL) key retries to 0 has been determined to be a valid workaround for these vulnerabilities. Setting the EAPoL retries value to 0 means one message will be sent, there will be no retransmissions sent, and if the EAPoL timeout is exceeded the client will be removed.



(From: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa )

Please Log in or Create an account to join the conversation.

More
18 Dec 2017 01:18 #9 by admin
Replied by admin on topic Re: Vigor 2860 V3.8.5.1 (Krack fix)
Which says the same thing except that Cisco there say "accepted as a valid workaround" without pointing out, ONLY if it's done on every AP/router in the world and in busy areas (web cafes/airports) you could be waiting a while to authenticate as it goes back to phase 0 each time a collision occurs.

Also, disabling EAPOL retries is not widely supported (though it might be added now)

Forum Administrator

Please Log in or Create an account to join the conversation.

  • hornbyp
  • Topic Author
  • User
  • User
More
18 Dec 2017 13:55 #10 by hornbyp
Replied by hornbyp on topic Re: Vigor 2860 V3.8.5.1 (Krack fix)
Draytek's analysis includes the following cautionary passage :-

If EAPOL retries are disabled, it means that there will be no retransmissions and once the EAPOL timeout passes, the client will be removed. This does mean that authentication may be slower, depending on traffic (see earlier) or if you're using some embedded clients with particularly slow processing. These clients are likely to be older or lower power devices and thus may not be patched by their vendors for Krack, which leaves them vulnerable. If you are confident that all of your clients are patched for Krack and authentication is too slow then you can re-enable EAPOL retries to improve efficiency or allow access to clients who authenticate slowly.



In my own case, none of my devices have been adversely affected by setting EAPOL=0 (including several I.O.T. devices), so there appears to be no cost in implementing it.

As far as I can tell, there is no other practical solution: I have identified 24 WiFi enabled devices in my domestic environment. To date, I have received client-side security patches for precisely none of them!

Please Log in or Create an account to join the conversation.

More
19 Dec 2017 07:28 #11 by admin
Replied by admin on topic Re: Vigor 2860 V3.8.5.1 (Krack fix)

hornbyp wrote: I have received client-side security patches for precisely none of them!



Hey, why worry about boring stuff like security when you're running a cool startup, got funky chairs and your backers are carrying you around town like you're the new messiah! Where we're going, we don't need security !

But yes, IOT has been identified as the biggest chink in security at the moment.

1. Invent
2. Design and produce ASAP
3. Think about security

I wonder if that agile chart could be improved :-)

Forum Administrator

Please Log in or Create an account to join the conversation.