Asus protected management frames

[DPUK01]

Hello. I have an Asus RT68U router which I use for my home network. I have set the Protected Management Frames (PMF) to 'required' for all client devices (https://www.asus.com/uk/support/faq/1042472/). None have disconnected when this was set, which I think means that these are encrypted now. However, does anyone know if this management frame encryption will protect against the Krak vulnerability in the WPA2 authentication process. I have read that disabling EAPOL retries offers some protection against this but it isn't an option via the router Web GUI (perhaps via Telnet though?).

Although declared end of life, Asus are still releasing new firmware for this router (https://www.asus.com/supportonly/rt-ac68u/helpdesk_bios/). Once they stop doing so, I may go down the 802.11ax route and choose WPA3 authentication where possible, although some IoT devices will still only support WPA2

Any advice welcome.... thanks in advance.

 

[OzarkEdge]

Hello. I have an Asus RT68U router which I use for my home network. I have set the Protected Management Frames (PMF) to 'required' for all client devices (https://www.asus.com/uk/support/faq/1042472/). None have disconnected when this was set, which I think means that these are encrypted now. However, does anyone know if this management frame encryption will protect against the Krak vulnerability in the WPA2 authentication process. I have read that disabling EAPOL retries offers some protection against this but it isn't an option via the router Web GUI (perhaps via Telnet though?).

Although declared end of life, Asus are still releasing new firmware for this router (https://www.asus.com/supportonly/rt-ac68u/helpdesk_bios/). Once they stop doing so, I may go down the 802.11ax route and choose WPA3 authentication where possible, although some IoT devices will still only support WPA2

Any advice welcome.... thanks in advance.

ASUS has only reached back to patch the AC68U firmware to protect its exceptional/large user base from an extreme vulnerability. For all practical purposes, the AC68U is EoL and no longer supported.

I would retire the AC68U and consider the AX86U Pro (dual-band WiFi6) or better that supports next gen ASUSWRT 5.0 (3.0.0.6.*) firmware with option for combined WPA2/WPA3 support with PMF default to 'capable'. Mixed wireless clients will authenticate as best they know how.

OE

 

[DPUK01]

Thanks for your advice, OzarkEdge. I'll have a look at the AX68U - especially the security settings

 

[ColinTaylor]

However, does anyone know if this management frame encryption will protect against the Krak vulnerability in the WPA2 authentication process.

The Krack vulnerability was patched in 2018.

 

[OzarkEdge]

I'll have a look at the AX68U

AX68U is not my recommendation.

OE

 

[DPUK01]

The Krack vulnerability was patched in 2018.

Thanks Colin. Do you know where I could any further information about the patch?

 

[DPUK01]

AX68U is not my recommendation.

OE

Apologies OE. I made a typo - it should read RT-AX86U Pro

 

[ColinTaylor]

Thanks Colin. Do you know where I could any further information about the patch?

You'd have to search though all the forum discussions about it from six or seven years ago. From memory the Asus release notes at the time just had a single line saying it was fixed (see this link). Unfortunately all the 3.0.0.4.382.x firmware from that era have long since been removed from the Asus website.

What is your interest in this particular vulnerability (as apposed to any of the subsequent ones, e.g. kr00k)? Bear in mind that Krack is a client side vulnerability. So it's not an issue unless you're running your router as a repeater or media bridge.

EDIT: I did find this entry on the ASUS Product Security Advisory page:

10/31/2017 Update on security advisory for the vulnerability of WPA2 protocol ∇
ASUS is working closely with chipset suppliers to resolve the vulnerability in the WPA2 security protocol, which affects some but not all ASUS products (check the list below). KRACK can exploit the vulnerability only under certain conditions highlighted in the previous update. Your network configuration is more secure when under these conditions:

(1) Routers and gateways working in their default mode (Router Mode) and AP Mode.
(2) Range extenders working in AP Mode.
(3) When Powerline adapters and switch products are used.

ASUS is working actively towards a solution, and will continue to post software updates. Find out more: https://www.asus.com/support/

Full list of routers unaffected by KRACK while in default mode:
GT-AC5300
RT-AC1200
RT-AC1200G
RT-AC1200G Plus
RT-AC1200HP
RT-AC1300HP
RT-AC1900
RT-AC1900P
RT-AC3100
RT-AC3200
RT-AC51U
RT-AC52U
RT-AC53
RT-AC5300
RT-AC53U
RT-AC54U
RT-AC55U
RT-AC55UHP
RT-AC56S
RT-AC56U
RT-AC58U
RT-AC66U
RT-AC66U B1
RT-AC66W
RT-AC68P
RT-AC68UF
RT-AC68W
RT-AC86U
RT-AC87U
RT-AC88U
RT-ACRH17
RT-ACRH13
RT-N10P V3
RT-N11P B1
RT-N12 D1
RT-N12 VP B1
RT-N12+
RT-N12+ B1
RT-N12E C1
RT-N12E_B1
RT-N12HP B1
RT-N14U
RT-N14UHP
RT-N16
RT-N18U
RT-N300 B1
RT-N56U
RT-N56U B1
RT-N65U
RT-N66U
RT-N66W
BRT-AC828
DSL-AC87VG
DSL-AC52U
DSL-AC55U
DSL-AC56U
DSL-AC68R
DSL-AC68U
DSL-N10_C1
DSL-N12E_C1
DSL-N12HP
DSL-N12U
DSL-N12U B1
DSL-N12U D1
DSL-N12U_C1
DSL-N14U
DSL-N14U B1
DSL-N16
DSL-N16U
DSL-N17U
DSL-N55U D1
DSL-N55U_C1
4G-AC68U
RT-AC65U
RT-AC85U

 

[DPUK01]

Thanks for the link, Colin. Very interesting to see what Asus say in the security advisory. From what I understand, the Krack vulnerability relates to the WPA2 4-way handshake, interrupting it as a way of infiltrating on to a network instead of the original legitimate device (https://sucuri.net/definitions/security/krack-attack/). Mention is made in the article I've just linked about updating firmware as well. However, It seems that WPA2 authentication cannot been modified itself (as this would have to be both on the router and device side and there could be an issue of backwards compatibility of unmodified client devices). WPA3 fixes this but if devices in use are WPA2 then this will still be a vulnerability, I believe. Instead, disabling something called EAPOL retry has been introduced in some routers’ firmware, for instance Draytek: https://www.draytek.co.uk/support/guides/kb-wpa2-eapol. My original question was whether Asus’s description of Protected Management Frames is their way of describing this functionality or something completely different. I’ve searched this forum and the wider web but can’t find an answer. I’ve also asked Asus but heard nothing back


Any further light on this would be great but, if not, then I can just leave this as an unknown

 

[Tech9]

My original question was whether Asus’s description of Protected Management Frames is their way of describing this functionality or something completely different.

The way it works in general with Asus and other vendors is the way Broadcom made it work in their chipset and drivers. Asus has nothing to do with it. The way it works on your 12+ years old hardware - unknown. It's either broken, either you are lucky with all clients supporting PMF.