The issue is related to 802.11r (fast bss-transition) to enhance roaming, which if disabled on WLANs
eliminates vulnerability to attack of AP-to-client traffic. The krackattacks.com site describe it as:
“it works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.”
WPA2/AES - attacker can decrypt and replay wi-fi packets.
WPA2/Auto-TKIP - attacker can decrypt, replay and inject frames
It requires that the attacker be physically in range of your APs, performing a man-in-the-middle impersonation
of a true AP mac address.
WLAN configuration options on WLANs, default setting is 802.11r Fast Roaming disabled. (SZ 3.5.1).
This is a Client vulnerability issue. A man-in-the-middle with AP sending your SSID and using your AP
MAC address. If one of your clients joins this malicious AP, there is a hole in the client that allows the
client to connect even if the passphrase is not correct(!).
After this happens this, and only this single client, can be sniffed.
Our product is designed to alert Admins if such a rogue AP is present. Only AP manufacturers who use their
APs as RAPs in Mesh (ie connecting to Guest WLAN) are vulnerable (as Aruba stated).
Things to think about:
1) all current certs and Wi-Fi passwords are still secure (attacker doesn't get the pw)
2) AES does not allow for code injection (tkip does, don't use it).
3) Android 6 has more issues that might make this attack easier.
4) Disabling 802.11r will mitigate the attack
5) Patching either side (client or distribution system) stops the attack from happening on WLAN
6) MITM attacks can happen if attacker inserts a new cert, end user is prompted with cert error.
7) Do not move to WEP
Still waiting for a corporate Security message I can post to Support and will share here. Thanks.