Several critical new security vulnerabilities have just been announced that affect wireless networks using either a pre-shared key (password) or 802.1x (centralized authentication via a server) to authenticate users. One vulnerability in particular affects most wireless vendors — including Cisco Meraki — and targets Fast Secure Roaming (a.k.a Fast BSS Transition, or FT) capabilities inherent in the 802.11r protocol.
Meraki has already identified at-risk customer networks that actively use FT and has deployed a firmware patch* to address this vulnerability. Affected customers automatically received this patch via a seamless cloud update — unless they opted out. We strongly urge any customers opting out to disable 802.11r on their networks.
Regardless of opt-out preferences, all Meraki customers can easily schedule — or directly apply — the latest wireless firmware via the Firmware Updates page in the Meraki dashboard.
We encourage Meraki customers who are not vulnerable (i.e. do not actively use FT capabilities) to also upgrade to the latest firmware, ensuring protection in the event 802.11r is enabled in the future. Again, these customers can opt to manually deploy firmware via the Firmware Updates page.
Once patched, customer networks can safely make use of the FT capabilities of 802.11r.
What is the attack, and were you affected?
802.11r is a standard for improving the roaming experience of wireless client devices as they physically move about a given network and, by virtue of distance and signal strength, automatically associate and disassociate to various access points (AP). Associating to a new AP takes time, thanks to necessary authentication. FT speeds up the authentication and association process for roaming clients — helping to protect against packet loss and poor performance in applications like VoIP calls or streaming content.
CVE-2017-13082 details potential exploits using the newly-disclosed FT vulnerability. Essentially, an attacker can expose sensitive information exchanged between a client device and a wireless access point by taking advantage of the fact that replayed frames aren’t accounted for when establishing a connection using FT. This allows an attacker to replay data sent to an AP, including sensitive encryption key data — enabling that attacker to decrypt/forge wireless frames. In all cases, an attacker needs to be in close proximity to the AP or client under attack.
Only unpatched wireless networks that have enabled 802.11r functionality are at risk. Meraki has created a dynamic dashboard page to help customers quickly identify vulnerable networks. To view this page, navigate to Help > 802.11r Vulnerability Impact. This page will dynamically update network vulnerability status based on firmware applied and whether 802.11r is enabled.
To determine whether 802.11r is enabled for a given Meraki wireless network, navigate to Wireless > Configure > Access Control in the Meraki dashboard, and look under Network Access:
802.11r is disabled on this particular wireless SSID.
We strongly urge all customers to verify that they are either patched to the latest firmware version* or that they have disabled 802.11r. Our technical support staff is available to assist with any questions or concerns you may have.
For additional details about the attack and our updates, please refer to our public facing FAQ.
For more technical information, please see Cisco’s Product Security Incident Response Team (PSIRT) vulnerability disclosure.
* The latest, secure firmware version for most MR models is MR 24-11; customers deploying MR33s, MR30Hs, or MR74s, must update to firmware version MR 25-7.