This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

KRACK vulnerability

What is the Sophos position on the KRACK vulnerability in WPA2? Are we safe, when will we see a patch if we're not? Many vendors have already released statements with models affect, patches and work-arounds. Cisco, Aruba, Ubiqiti, Microsoft, etc.



This thread was automatically locked due to age.
Parents
  • https://community.sophos.com/kb/en-us/127658

    Appears the KB has been updated with the below:

    Protections offered by Sophos products

    The Wireless team is currently working on the necessary patch and after full implementation and testing on our solutions, we will be able to release a fix. This process can take a number of days.

    The below list shows the scheduled patched version to correct the WPA/WPA2 vulnerability and expected release dates. All dates and version numbers are subject to change.

    • Sophos UTM 9.5 SR 2 (9.505) :2017-10-20
    • Sophos Firewall: 16.5 : 2017-10-20
    • Cloud Wireless : 2017-10-20
    • Cyberoam UTM: 2017-10-30
Reply
  • https://community.sophos.com/kb/en-us/127658

    Appears the KB has been updated with the below:

    Protections offered by Sophos products

    The Wireless team is currently working on the necessary patch and after full implementation and testing on our solutions, we will be able to release a fix. This process can take a number of days.

    The below list shows the scheduled patched version to correct the WPA/WPA2 vulnerability and expected release dates. All dates and version numbers are subject to change.

    • Sophos UTM 9.5 SR 2 (9.505) :2017-10-20
    • Sophos Firewall: 16.5 : 2017-10-20
    • Cloud Wireless : 2017-10-20
    • Cyberoam UTM: 2017-10-30
Children
  • So what you are saying is that the new modus operandi for any new vulnerability disclosure is to give the vendors a week to fix it before public disclosure?  Since, based on this example (and SOPHOS is only one of many corporations guilty of this...except for Microsoft they patched it before it went public) the vendors would just sit on the vulnerability without it being patched unless that specific vulnerability gains public exposure.   

     

    Sophos had 7 weeks to patch and test the patch.  So the whole "the necessary patch and after full implementation and testing on our solutions, we will be able to release a fix. This process can take a number of days" should have been finished by September 20th at most (it was disclosed to them on the 5th, I think 15 days for a simple change 4 reply to 2 reply or 1 reply should be be an easy fix)  I mean DD-WRT firmware folks (1 guy "team") did it in 2 hours and all of the routers running that open source firmware are OK now without any issue, yes I am comparing public to corporate world/solutions hence I am giving the SOPHOS team a 15 day slack to test it...if DD-WRT can issue the fix in 2 hours (only reason why it was late is because they worked off the public release, the devs didn't have the privy to early info), then a corporate world should fix the same issue and have it tested within 15 days. 

     

    All of this exposes the whole security by obscurity patch theater: "Just because it's not public then we are safe"....yeah, but as any other invention in our time, just because one person found it, it doesn't mean that others didn't either.  

     

    What this needs is the Game of Thrones SHAME BELL!