What is the Sophos position on the KRACK vulnerability in WPA2? Are we safe, when will we see a patch if we're not? Many vendors have already released statements with models affect, patches and work-arounds. Cisco, Aruba, Ubiqiti, Microsoft, etc.
On there twitter I just see the post acknowledging the vulnerability and to wait for a patch, did I miss the twit?
Latest patch available on the FTP is 9.504 which does not include the KRACK fix. Sophos was informed of the vulnerability in late August so I am not sure why we don't have a patch yet.
No what's sad is that MANY MANY VENDORS KNEW ABOUT THIS SINCE AUGUST 25TH AND SOPHOS SINCE EARLY SEPTEMBER but they waited until the VULN went PUBLIC to do anything about it.
This should have been fixed weeks ago and not when it goes public a month+ and for some nearly 2 months after they were notified.
Goes to show that all of this security theater is reactionary in nature and it takes a public shaming to expose the action to fix....THAT IS REALLY SAD!
Hi brunomc, can you point me to the twitter message about the released patch and the patch link itself, please?
That way I can forward the information to the Support because they just replayed to me that there is no fix right now.
From https://www.kb.cert.org/vuls/id/CHEU-AQXJL5 you can see Sophos was notified about this bug on the 6th of September, I hoped after 1 month there would have been a patch already.
https://community.sophos.com/kb/en-us/127658
Appears the KB has been updated with the below:
The Wireless team is currently working on the necessary patch and after full implementation and testing on our solutions, we will be able to release a fix. This process can take a number of days.
The below list shows the scheduled patched version to correct the WPA/WPA2 vulnerability and expected release dates. All dates and version numbers are subject to change.
So what you are saying is that the new modus operandi for any new vulnerability disclosure is to give the vendors a week to fix it before public disclosure? Since, based on this example (and SOPHOS is only one of many corporations guilty of this...except for Microsoft they patched it before it went public) the vendors would just sit on the vulnerability without it being patched unless that specific vulnerability gains public exposure.
Sophos had 7 weeks to patch and test the patch. So the whole "the necessary patch and after full implementation and testing on our solutions, we will be able to release a fix. This process can take a number of days" should have been finished by September 20th at most (it was disclosed to them on the 5th, I think 15 days for a simple change 4 reply to 2 reply or 1 reply should be be an easy fix) I mean DD-WRT firmware folks (1 guy "team") did it in 2 hours and all of the routers running that open source firmware are OK now without any issue, yes I am comparing public to corporate world/solutions hence I am giving the SOPHOS team a 15 day slack to test it...if DD-WRT can issue the fix in 2 hours (only reason why it was late is because they worked off the public release, the devs didn't have the privy to early info), then a corporate world should fix the same issue and have it tested within 15 days.
All of this exposes the whole security by obscurity patch theater: "Just because it's not public then we are safe"....yeah, but as any other invention in our time, just because one person found it, it doesn't mean that others didn't either.
What this needs is the Game of Thrones SHAME BELL!
