KRACK - Apple security notices need more detail

AJ2 — Thu, 02 Nov 2017 18:46:44 GMT

Apple announced new security updates November 1st 2017. This time they explicitly list KRACK fix but only for iPhone 7 and iPad Pro 9.7 inch. Does that mean everything else was already patched or that everything else is vulnerable? Apple need to be specific and clear.

Official apple announcement: https://support.apple.com/en-us/HT208222

At the bottom of that page:

Wi-Fi

Available for: iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)

Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.

CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven

Re: KRACK - Apple security notices need more detail

kpinkham — Tue, 07 Nov 2017 14:58:20 GMT

Yes, this is confusing. I am now seeing information for IPhone 8, IPhone 8 plus, and IPhone X at this link (in addition to the original IPhone 7 information). It looks like there are multiple CVE numbers for KRACK (Apple is showing CVE-2017-13080 for the 7 and CVE-2017-13078 and CVE-2017-13079 for the 8 and X) and they are providing information separately.

topic Re: KRACK - Apple security notices need more detail in Industry News

KRACK - Apple security notices need more detail

Re: KRACK - Apple security notices need more detail