ESB-2017.2603 - [Win] Microsoft Windows: Access privileged data - Remote/unauthenticated 2017-10-17

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2603
              CVE-2017-13080 | Windows Wireless WPA Group Key
                       Reinstallation Vulnerability
                              17 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Windows
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-13080  

Reference:         ESB-2017.2600
                   ESB-2017.2599

Original Bulletin: 
   https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2017-13080 | Windows Wireless WPA Group Key Reinstallation Vulnerability
Security Vulnerability

Published: 10/16/2017
MITRE CVE-2017-13080

A spoofing vulnerability exists in the Windows implementation of wireless
networking. An attacker who successfully exploited this vulnerability
could potentially replay broadcast and/or multicast traffic to hosts on
a WPA or WPA 2-protected wireless network.

Multiple conditions would need to be met in order for an attacker to
exploit the vulnerability - the attacker would need to be within the
physical proximity of the targeted user, and the user's computer would
need to have wireless networking enabled. The attacker would then need
to execute a man-in-the-middle (MitM) attack to intercept traffic between
the target computer and wireless access point.

The security update addresses the vulnerability by changing how Windows
verifies wireless group key handshakes.

Exploitability Assessment

The following table provides an exploitability assessment for this
vulnerability at the time of original publication.

Publicly Disclosed	Exploited	Latest Software Release		Older Software Release  	Denial of Service
No			No		2 - Exploitation Less Likely	2 - Exploitation Less Likely	Not Applicable

			       Affected Products

The following software versions or editions are affected. Versions or editions
that are not listed are either past their support life cycle or are not
affected. To determine the support life cycle for your software version or
edition, see the Microsoft Support Lifecycle.


      Product	     Platform Article  Download  Impact  Severity
      Supersedence
				       Security
Windows 10 for		      4042895  Update	Spoofing Important 4038781
32-bit Systems		      4042895  Security
				       Update



				       Security
Windows 10 for		      4042895  Update	Spoofing Important 4038781
x64-based Systems	      4042895  Security
				       Update



Windows 10 Version		       Security
1511 for 32-bit		      4041689  Update	Spoofing Important 4038783
Systems			      4041689  Security
				       Update



Windows 10 Version		       Security
1511 for x64-based	      4041689  Update	Spoofing Important 4038783
Systems			      4041689  Security
				       Update



Windows 10 Version		       Security
1607 for 32-bit		      4041691  Update	Spoofing Important 4038782
Systems			      4041691  Security
				       Update



Windows 10 Version		       Security
1607 for x64-based	      4041691  Update	Spoofing Important 4038782
Systems			      4041691  Security
				       Update



Windows 10 Version		       Security
1703 for 32-bit		      4041676  Update	Spoofing Important 4038788
Systems			      4041676  Security
				       Update



Windows 10 Version		       Security
1703 for x64-based	      4041676  Update	Spoofing Important 4038788
Systems			      4041676  Security
				       Update



				       Monthly
			      4041681  Rollup
Windows 7 for 32-bit	      4041681  Monthly
Systems Service Pack		       Rollup	Spoofing Important 4038777
1				       Security
			      4041678  Only
			      4041678  Security
				       Only


				       Monthly
			      4041681  Rollup
Windows 7 for		      4041681  Monthly
x64-based Systems		       Rollup	Spoofing Important 4038777
Service Pack 1			       Security
			      4041678  Only
			      4041678  Security
				       Only


				       Monthly
			      4041693  Rollup
			      4041693  Monthly
Windows 8.1 for			       Rollup	Spoofing Important 4038792
32-bit systems			       Security
			      4041687  Only
			      4041687  Security
				       Only


				       Monthly
			      4041693  Rollup
			      4041693  Monthly
Windows 8.1 for			       Rollup	Spoofing Important 4038792
x64-based systems		       Security
			      4041687  Only
			      4041687  Security
				       Only


				       Monthly
Windows RT 8.1		      4041693  Rollup	Spoofing Important 4038792
			      4041693  Monthly
				       Rollup



Windows Server 2008		       Security
for 32-bit Systems	      4042723  Update	Spoofing Important
Service Pack 2		      4042723  Security
				       Update



Windows Server 2008		       Security
for 32-bit Systems	      4042723  Update
Service Pack 2		      4042723  Security Spoofing Important
(Server Core			       Update
installation)



Windows Server 2008		       Security
for x64-based		      4042723  Update	Spoofing Important
Systems Service Pack	      4042723  Security
2				       Update



Windows Server 2008		       Security
for x64-based		      4042723  Update
Systems Service Pack	      4042723  Security Spoofing Important
2 (Server Core			       Update
installation)



				       Monthly
			      4041681  Rollup
Windows Server 2008	      4041681  Monthly
R2 for Itanium-Based		       Rollup	Spoofing Important 4038777
Systems Service Pack		       Security
1			      4041678  Only
			      4041678  Security
				       Only


				       Monthly
			      4041681  Rollup
Windows Server 2008	      4041681  Monthly
R2 for x64-based		       Rollup	Spoofing Important 4038777
Systems Service Pack		       Security
1			      4041678  Only
			      4041678  Security
				       Only


				       Monthly
Windows Server 2008	      4041681  Rollup
R2 for x64-based	      4041681  Monthly
Systems Service Pack		       Rollup	Spoofing Important 4038777
1 (Server Core			       Security
installation)		      4041678  Only
			      4041678  Security
				       Only


				       Monthly
			      4041690  Rollup
			      4041690  Monthly
Windows Server 2012		       Rollup	Spoofing Important 4038799
				       Security
			      4041679  Only
			      4041679  Security
				       Only


				       Monthly
			      4041690  Rollup
Windows Server 2012	      4041690  Monthly
(Server Core			       Rollup	Spoofing Important 4038799
installation)			       Security
			      4041679  Only
			      4041679  Security
				       Only


				       Monthly
			      4041693  Rollup
			      4041693  Monthly
Windows Server 2012		       Rollup	Spoofing Important 4038792
R2				       Security
			      4041687  Only
			      4041687  Security
				       Only


				       Monthly
			      4041693  Rollup
Windows Server 2012	      4041693  Monthly
R2 (Server Core			       Rollup	Spoofing Important 4038792
installation)			       Security
			      4041687  Only
			      4041687  Security
				       Only


				       Security
Windows Server 2016	      4041691  Update	Spoofing Important 4038782
			      4041691  Security
				       Update



Windows Server 2016		       Security
(Server Core		      4041691  Update	Spoofing Important 4038782
installation)		      4041691  Security
				       Update




				  CVSS Score

The following software versions or editions that are affected have been scored
against this vulnerability. Please read the CVSS standards guide to fully
understand how CVSS vulnerabilities are scored, and how to interpret CVSS
scores.


Mitigations


tform    Scores     Vector
                                            Base Temporal String Environmental
                                                                 CVSS:3.0/AV:A/
Windows 10 for 32-bit Systems                                    AC:H/PR:N/UI:N
Windows 10 for 32-bit Systems               4.2  3.8      0      /S:U/C:N/I:L/
                                                                 A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows 10 for x64-based Systems                                 AC:H/PR:N/UI:N
Windows 10 for x64-based Systems            4.2  3.8      0      /S:U/C:N/I:L/
                                                                 A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows 10 Version 1511 for 32-bit                               AC:H/PR:N/UI:N
Systems Windows 10 Version 1511             4.2  3.8      0      /S:U/C:N/I:L/
for 32-bit Systems                                               A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows 10 Version 1511 for                                      AC:H/PR:N/UI:N
x64-based Systems Windows 10                4.2  3.8      0      /S:U/C:N/I:L/
Version 1511 for x64-based Systems                               A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows 10 Version 1607 for 32-bit                               AC:H/PR:N/UI:N
Systems Windows 10 Version 1607             4.2  3.8      0      /S:U/C:N/I:L/
for 32-bit Systems                                               A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows 10 Version 1607 for                                      AC:H/PR:N/UI:N
x64-based Systems Windows 10                4.2  3.8      0      /S:U/C:N/I:L/
Version 1607 for x64-based Systems                               A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows 10 Version 1703 for 32-bit                               AC:H/PR:N/UI:N
Systems Windows 10 Version 1703             4.2  3.8      0      /S:U/C:N/I:L/
for 32-bit Systems                                               A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows 10 Version 1703 for                                      AC:H/PR:N/UI:N
x64-based Systems Windows 10                4.2  3.8      0      /S:U/C:N/I:L/
Version 1703 for x64-based Systems                               A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows 7 for 32-bit Systems                                     AC:H/PR:N/UI:N
Service Pack 1 Windows 7 for                4.2  3.8      0      /S:U/C:N/I:L/
32-bit Systems Service Pack 1                                    A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows 7 for x64-based Systems                                  AC:H/PR:N/UI:N
Service Pack 1 Windows 7 for                4.2  3.8      0      /S:U/C:N/I:L/
x64-based Systems Service Pack 1                                 A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows 8.1 for 32-bit systems                                   AC:H/PR:N/UI:N
Windows 8.1 for 32-bit systems              4.2  3.8      0      /S:U/C:N/I:L/
                                                                 A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows 8.1 for x64-based systems                                AC:H/PR:N/UI:N
Windows 8.1 for x64-based systems           4.2  3.8      0      /S:U/C:N/I:L/
                                                                 A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
                                                                 AC:H/PR:N/UI:N
Windows RT 8.1 Windows RT 8.1               4.2  3.8      0      /S:U/C:N/I:L/
                                                                 A:L/E:P/RL:O/
                                                                 RC:C
Windows Server 2008 for 32-bit                                   CVSS:3.0/AV:A/
Systems Service Pack 2 Windows                                   AC:H/PR:N/UI:N
Server 2008 for 32-bit Systems              4.2  3.8      0      /S:U/C:N/I:L/
Service Pack 2                                                   A:L/E:P/RL:O/
                                                                 RC:C
Windows Server 2008 for 32-bit                                   CVSS:3.0/AV:A/
Systems Service Pack 2 (Server                                   AC:H/PR:N/UI:N
Core installation) Windows Server           4.2  3.8      0      /S:U/C:N/I:L/
2008 for 32-bit Systems Service                                  A:L/E:P/RL:O/
Pack 2 (Server Core installation)                                RC:C
Windows Server 2008 for x64-based                                CVSS:3.0/AV:A/
Systems Service Pack 2 Windows                                   AC:H/PR:N/UI:N
Server 2008 for x64-based Systems           4.2  3.8      0      /S:U/C:N/I:L/
Service Pack 2                                                   A:L/E:P/RL:O/
                                                                 RC:C
Windows Server 2008 for x64-based                                CVSS:3.0/AV:A/
Systems Service Pack 2 (Server                                   AC:H/PR:N/UI:N
Core installation) Windows Server           4.2  3.8      0      /S:U/C:N/I:L/
2008 for x64-based Systems Service                               A:L/E:P/RL:O/
Pack 2 (Server Core installation)                                RC:C
Windows Server 2008 R2 for                                       CVSS:3.0/AV:A/
Itanium-Based Systems Service Pack                               AC:H/PR:N/UI:N
1 Windows Server 2008 R2 for                4.2  3.8      0      /S:U/C:N/I:L/
Itanium-Based Systems Service Pack                               A:L/E:P/RL:O/
1                                                                RC:C
Windows Server 2008 R2 for                                       CVSS:3.0/AV:A/
x64-based Systems Service Pack 1                                 AC:H/PR:N/UI:N
Windows Server 2008 R2 for                  4.2  3.8      0      /S:U/C:N/I:L/
x64-based Systems Service Pack 1                                 A:L/E:P/RL:O/
                                                                 RC:C
Windows Server 2008 R2 for                                       CVSS:3.0/AV:A/
x64-based Systems Service Pack 1                                 AC:H/PR:N/UI:N
(Server Core installation) Windows          4.2  3.8      0      /S:U/C:N/I:L/
Server 2008 R2 for x64-based                                     A:L/E:P/RL:O/
Systems Service Pack 1 (Server                                   RC:C
Core installation)
                                                                 CVSS:3.0/AV:A/
Windows Server 2012 Windows Server                               AC:H/PR:N/UI:N
2012                                        4.2  3.8      0      /S:U/C:N/I:L/
                                                                 A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows Server 2012 (Server Core                                 AC:H/PR:N/UI:N
installation) Windows Server 2012           4.2  3.8      0      /S:U/C:N/I:L/
(Server Core installation)                                       A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows Server 2012 R2 Windows                                   AC:H/PR:N/UI:N
Server 2012 R2                              4.2  3.8      0      /S:U/C:N/I:L/
                                                                 A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows Server 2012 R2 (Server                                   AC:H/PR:N/UI:N
Core installation) Windows Server           4.2  3.8      0      /S:U/C:N/I:L/
2012 R2 (Server Core installation)                               A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows Server 2016 Windows Server                               AC:H/PR:N/UI:N
2016                                        4.2  3.8      0      /S:U/C:N/I:L/
                                                                 A:L/E:P/RL:O/
                                                                 RC:C
                                                                 CVSS:3.0/AV:A/
Windows Server 2016 (Server Core                                 AC:H/PR:N/UI:N
installation) Windows Server 2016           4.2  3.8      0      /S:U/C:N/I:L/
(Server Core installation)                                       A:L/E:P/RL:O/
                                                                 RC:C

Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds

Microsoft has not identified any workarounds for this vulnerability.
FAQ
When did Microsoft release the security updates to address this
vulnerability?

Microsoft released security updates on October 10, 2017 as part of
Update Tuesday to resolve this vulnerability in all affected editions of
Windows. Customers who have Windows Update enabled and who applied the
latest security updates are protected automatically. The Security Update
Guide was updated on October 16, 2017 to provide full disclosure on this
vulnerability in accordance with a multi-vendor coordinated disclosure.

Why did Microsoft delay the disclosure of this vulnerability until October
16, 2017?

Microsoft updated quickly to protect customers as soon as possible, but as
a responsible industry partner and to protect customers also using other
platforms, we abided by coordinated vulnerability disclosure principles
and withheld disclosure until other vendors could develop and release
their own updates.

What is the scope of this multi-vendor coordinated vulnerability disclosure?

In partnership with the International Consortium for Advancement of
Cybersecurity on the Internet (ICASI), Microsoft participated in a
multi-vendor coordinated disclosure to acknowledge and describe several
Wi-Fi Protected Access (WPA) Vulnerabilities.  The vulnerabilities
affect multiple platforms, devices, and drivers from partners across
the industry, and ICASI is tracking the overall disclosure to provide
background, guidance, and links to individual vendor documentation. The
ICASI Multi-Vendor Vulnerability Disclosure statement can be found at this
link: http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities

Does this security update fully address these vulnerabilities on Microsoft
Platforms, or do I need to perform any additional steps to be fully
protected?

The provided security updates address the reported vulnerabilities;
however, when affected Windows based systems enter a connected standby
mode in low power situations, the vulnerable functionality may be
offloaded to installed Wi-Fi hardware. To fully address potential
vulnerabilities, you are also encouraged to contact your Wi-Fi
hardware vendor to obtain updated device drivers.  For a listing
of affected vendors with links to their documentation, review
the ICASI Multi-Vendor Vulnerability Disclosure statement here:
http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities

Is this vulnerability related to Microsoft Security Advisory ADV170016?

Yes, the Windows Server 2008 platform requires individual update packages, so
Microsoft released the advisory on October 10, 2017 to ensure its inclusion
within the standard deployment tools, and to encourage customers to apply
the update without impacting the multi-vendor disclosure.

How can an attacker exploit this vulnerability?

An attacker could potentially execute a man-in-the-middle attack to intercept
traffic between the target computer and wireless access point. However,
multiple conditions would first need to be met - the attacker would need
to be within the physical proximity of the targeted user, and the user's
computer would need to have wireless networking enabled.

Have there been any active attacks detected?

No. When this security advisory was issued, Microsoft had not received any
information to indicate that this vulnerability had been publicly used to
attack customers.

Acknowledgments

Mathy Vanhoef (@vanhoefm) of imec-DistriNet, KU Leuven

See acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWeV2uYx+lLeg9Ub1AQg9tg//abBGmVrlYDQXWMJGu/0eGk4p6e9bzzRh
kTHUFH5aNkMYcydDWDVflL6S/Z9BS/pbZSuHI96gPYd2v1U2UDCiKhHULzr09fS4
S+SW5VofYLlbnJSizk2AH12ifVRR3yEpVVbpj9w4ph9+u3sf10fsevD4+Mmlc4Hy
MsbBN0R1fGvhwcaN7zRUDG0hLhUyZ4Rl1r608MuoP42oYJjDgAExGlxkZSZPThIU
Z0oAJdS4/v6/7rLUlnM4hvLG990cuO4RXq25cvb+nvXLVZXvsN0wzehd4ttpvlCY
AuheUxe+UrTwX6QWHNnOtm4NKB3aLMRzcC4d2fYCfC1WGbCe+jbQYT1mRAma/md3
YZDRiKdBlEaG4EIgrad4ZUGlJuVQ4Vh20TTReN2Y632Mg1iN2EnGFHmpTeKLfxF1
cKGQgkzH3S9mddeJ/Gp6SMpkQyUqtFKl8kzR0ukeCQzpEKuS0Zx10AiwxGusX0FB
cFShNkgp6kBz1cBkDJoZijJb8kaGXFbHq4qsHFbEfBFPU1wAg/LZFjyCA/YFjmDe
Rs8rYFLSN+ItX7RpoRXKBslhdoPuaGtny2oOPehgCDqW/DSnZxwNW+ONi8UtyGAl
yZRHyrnR6r6vy5yxP2ZZWyLmFbw+IDNrPpXCKf6WXtKoS+r57gIkvJlQ0QQRxV02
6Bh/hMBVzlg=
=4uXM
-----END PGP SIGNATURE-----

« Back to bulletins