KRACK Wi-Fi Vulnerability

Contributor III

Does anyone know if there was a patch released or when it is expected to be released? Guessing this is a firmware update?


Valued Contributor II

I believe KRACK fixes are were seeded in the beta channels for all apple os's.

Contributor III

What about 10.10/10.11/10.12 clients?

Valued Contributor II

@rqomsiya We're all waiting for that info from Apple like you are.

There is precendent for them only fixing the shipping OS... the only patch for the Broadpwn vulnerability was in 10.12.6.

Of the 10 CVE's, 9 require client-side patching. Of every device. sigh

Valued Contributor III

They have to patch this for 10.12.6 with a supplemental. I'd be surprised if they didn't patch 10.11 as well. This is too widespread.

Valued Contributor

I'd like to think you're right @alexjdale , but their track record leaves me worried.... we're not ready to upgrade to 10.13 yet.

Valued Contributor

New update release a few hours ago. Might be a step in the right direction3b74cecc11e646e7882c5fff22958aab

EFICheck AllowListAll

a bit about eficheck

Contributor III

To be of any use to an attacker, both the WPA2 device and the connected client need to remain vulnerable to KRACK.

While it doesn't diminish the pressing need to patch the Macs and iOS devices, updating your WAPs will help. Ubiquiti, for example, released updates yesterday for their various UAPs. (UCK controller firmware 5.6.19 is also live.)


@pete_c is right. According to discoverer Mathy Vanhoef, updates should occur on APs and on clients, but just APs will help your network, at least.

... luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point (AP), and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time. However, the security updates will assure a key is only installed once, preventing our attack. So again, update all your devices once security updates are available. Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!

Legendary Contributor III

So it's possible I just missed it, but, does anyone know if Apple has released a patch for Sierra to fix this vuln yet? In doing searches I'm not pulling anything up.
Or is so far the only statement from them, that, sure, if you are running our latest buggy new OS, you're fine, otherwise, you are SOL? I seriously hope they don't leave 10.12.x Macs out to dry just because 10.13 is out now. I'm getting asked how soon we can get a patch for this deployed, but we cannot go to High Sierra in our environment yet due to dependencies and the fact that it's not quite ready for prime time.

Valued Contributor

Hey Mike, from the latest I read they have a patch in beta for Sierra et al with good results so far . If history is an indication, they'll probably roll it out with 10.13.1 as a security patch for 10.12,10.11 and (maybe?)10.10, like they did for 10.12.6

we'll see

Valued Contributor II

Highly doubt 10.10 sees any updates. 10.11 and 10.12 will be lucky if they get this one. There is a new Security Update beta for Sierra floating around...

New Contributor III
Sync and check your SUS server.