For those unfamiliar with this latest WPA2 Security Vulnerability, please bear in mind the problem is on the client device, not the AP. Therefore rushing to patch your APs is not going to solve all the problems in your network from this vulnerability!
Of course, if you’re using WPA-TKIP (or using ‘both’ TKIP and AES), you DO have more problems than this attack. Therefore please ensure that any support for TKIP is disabled! If you’re using WEP, this vulnerability will not affect you, but then again, you have even bigger problems anyway!
So, is WPA2-AES well and truly broken? Do we now need a “WPA3”? In our opinion, no. But it is very possible that the 802.11 standards committee and WiFi-Alliance may look at the protocol again and see if there is anything that can be done to mitigate against this in future releases of the standard.
What have MikroTik and Ubiquiti have to say and what have they done about this?
CERT/CC/ICASI released a public announcement today (16th Oct 2017) about discovered vulnerabilities within the way a wireless client handles the WPA2 4-way security handshake that potentially affects many WiFi users and wireless vendors world wide. Most affected are Android and Linux client devices, however some of the discovered vulnerabilities could possibly also affect MikroTik RouterOS when in one of the many Station modes and Ubiquiti UAPs when Uplinking or Meshing therefore as a precaution, both vendors have hardened their code against such an attack. However, the major problem is with the client devices and therefore maybe something beyond your ability to control. Especially with very low cost IoT devices, which may not get patched for years.
MikroTik have stated that RouterOS v6.39.3, v6.40.4, v6.41rc are not affected which were released last week.
Ubiquiti have stated that UAP Firmware v3.9.3.7537 released today (16th Oct) fixed most of the vulnerabilities.
MikroTik have stated that it is important to note that the vulnerability has been discovered in the WPA2 protocol itself, so even a correct wireless configuration is potentially affected and that not all of the discovered vulnerabilities directly impact RouterOS users, or even apply to RouterOS, but MikroTik have followed all the recommendations and improved the key exchange process according to the guidelines MikroTik received from the above organizations who discovered the issue.
For more info see the research paper at https://www.krackattacks.com/
MikroTik – https://forum.mikrotik.com/viewtopic.php?f=21&t=126695