Upgrade Cisco WLC and Access Points to fix KRACK Attacks
On Oct 16th 2017, 7 vulnerabilities affecting both WPA and WPA2 were made publicly available. Additional research also led to discovery of 3 additional vulnerabilities. Among these 10 vulnerabilities, only one CVE-2017-13082 may affect wireless infrastructure, the other nine vulnerabilities affect client devices.
There is also some good news, remote attacks won’t be possible in this case. The attacker have to be directly connected to Wi-Fi access point, that means within physical proximity to device.
It is not a bug in single vendor product, but rather a fundamental flaw in the protocol. Here we discuss very specific about patching Cisco wireless infrastructure – Cisco 2504 Wireless Controller.
Extract From Read Release Notes:
Before you proceed to upgrade, you must know about upgrade path and additional information about images:
- Upgrade Path to 8.3.133
|7.0.x releases||You can upgrade directly to 220.127.116.11.
If you have VLAN support and VLAN mappings defined on H-REAP access points and are currently using a 7.0.x Cisco WLC software release that is earlier than 18.104.22.168, we recommend that you upgrade to the 22.214.171.124 release and then upgrade to 126.96.36.199 to avoid losing those VLAN settings.
In case of FlexConnect VLAN mapping deployment, we recommend that the deployment be done using FlexConnect groups. This allows you to recover VLAN mapping after an AP rejoins the Cisco WLC without having to manually reassign the VLAN mappings.
|188.8.131.52||You can upgrade directly to 184.108.40.206.|
|7.2.x releases||You can upgrade directly to 220.127.116.11.
If you have an 802.11u HotSpot configuration on the WLANs, we recommend that you first upgrade to the 18.104.22.168 Cisco WLC software release and then to the 22.214.171.124 Cisco WLC software release.
You must downgrade from the 126.96.36.199 Cisco WLC software release to a 7.2.x Cisco WLC software release if you have an 802.11u HotSpot configuration on the WLANs that are not supported.
|7.3.x, 7.4.x, 7.5.x, 7.6.x, 8.0.x, 8.1.x, 8.2.x, 8.3.x releases||You can upgrade directly to 188.8.131.52.
Specifically for 8.2.x, see Changes in Images and Installation Procedure for Cisco 2504 WLC, Cisco 5508 WLC, and Cisco WiSM2 about special upgrade instructions for Cisco 2504 WLC, 5508 WLC, and WiSM2.
2.Due to an increase in the size of the Release 184.108.40.206 Cisco WLC software image, the Cisco 2504 WLC software images are split into the following two images:
- Base Install image, which includes the Cisco WLC image and a subset of some AP images
- Supplementary AP Bundle image, which includes AP images that are excluded from the Base Install image – AP802, Aironet 1530, 1550, 1570.
3.AP_BUNDLE installation files should not be renamed because the filenames are used as indicators to not delete the backup image before starting the download.
If renamed and if they do not contain “AP_BUNDLE” or “FUS” strings in their filenames, the backup image will be cleaned up before starting the file download, anticipating a bigger sized regular base image.
Upgrading Cisco WLC to 8.3.133
Step 1: Backup WLC Configuration
- You need a tftp server in your network that is reachable from WLC
- Navigate to COMMANDS tab in WLC GUI and choose UPLOAD FILE menu
- Specify File Type (Configuration), Transfer Mode (TFTP), IP Address (TFTP Server IP), File Path (./ incase its at root folder) and File Name.
- Click Upload button to backup WLC configuration
Step 2: Upgrade WLC
- Download the relevant WLC software version from cisco.com (you need a smartnet contract) and copy it to root folder of TFTP server
- Navigate to COMMANDS tab, choose DOWNLOAD FILE menu
- Specify File Type (Code), Transfer Mode (TFTP), IP Address (TFTP Server IP), File Path (./) and File Name (name of your downloaded file)
- Click Download button to upload the file to controller.
You can track firmware download process in Commands > Config Boot. If you still see the older version in Primary Image, wait for download to complete and you should see the latest 8.3.133 version .
Step 3 : Save Configuration and Reboot Controller
After reboot, WLC should be upgraded to latest version 8.3.133 and all APs should start upgrading.