Page 33 - Cyber Defense eMagazine - October 2017
P. 33

community believed that waiting for patches posed a greater risk than publishing the details.This
               is most common when there is evidence that attacks based on the vulnerability are imminent, or
               already  under  way,  or  “in  the  wild”.  In  any  case  the  decision  was  likely  made  so  that
               organizations could make educated independent decisions on how to respond. In this case, the
               most  radical  response  would  be  to  immediately  remove  wireless  systems  from  the
               organization’s operating infrastructure.


               These Vulnerabilities Are Difficult To Fix On Some Devices

               The  vulnerabilities  identified  by  Vanhoef  and  Piessens  are  relatively  obscure  and  clearly
               required deep insight into the fundamental protocols involved. Unfortunately, this also means
               that, as is evident in responses from manufacturers, patches or even workarounds are proving
               challenging. For example. according to an update to the Cisco Security Advisory, as of the date
               of this article, Cisco indicates that one of the fixes they released had an issue itself:

               “Additional testing performed on October 20th, 2017 resulted in the discovery that the software
               fixes for CVE-2017-13082 on Cisco Access Points running Cisco IOS software may not provide
               complete protection.”


               Is This The First Flaw In The WPA Protocol Suite?

               This  isn’t  the  first  flaw  to  be  found  in  the  WPA  protocol,  but  it  is  one  of  the  worst.  Prior
               vulnerabilities were found and patched effectively in a short period of time. This time, they are
               really deep in the protocol, and I believe that it is a good indicator that more exist. So when the
               patches are finally available, two challenges will remain; 1) As a result of apathy and ignorance,
               or  poor  process,  many users  will  not  have  deployed  the  patches,  and 2) When  will  the  next
               WPA2 shoe drop?.

               In addition, given the apparent difficulty some major manufacturers are having, there will likely
               be a group of devices and software that may remain vulnerable permanently.


               Are These Vulnerabilities In The Wild?

               I haven't seen any reports of these vulnerabilities being targeted in the wild. That does not mean
               it hasn’t happened. It may have occurred, but victims are unaware. Or they are aware and have
               been too busy dealing with the response to report it or have made a decision to not share the
               information publicly - either due to embarrassment, or fear of the political/legal fallout.



               3 Takeaways

               1. These vulnerabilities are serious and significant, probably the most significant vulnerabilities
               found this year, but it is not a “hair on fire” event, or the end of the world. Deal with it. But don't
               ignore it.


                    33   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   28   29   30   31   32   33   34   35   36   37   38