Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2599 Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse 17 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Wi-Fi Protected Access II (WPA2) devices Publisher: CERT\CC Operating System: UNIX variants (UNIX, Linux, OSX) Windows Network Appliance Mobile Device Impact/Access: Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-13088 CVE-2017-13087 CVE-2017-13086 CVE-2017-13084 CVE-2017-13082 CVE-2017-13081 CVE-2017-13080 CVE-2017-13079 CVE-2017-13078 CVE-2017-13077 Original Bulletin: https://www.kb.cert.org/vuls/id/228519 https://www.krackattacks.com/ - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#228519 Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse Original Release date: 16 Oct 2017 | Last revised: 16 Oct 2017 Overview Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. Description CWE-323: Reusing a Nonce, Key Pair in Encryption Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a victim wireless access point (AP) or client. After establishing a man-in-the-middle position between an AP and client, an attacker can selectively manipulate the timing and transmission of messages in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence reception or retransmission of messages. Depending on the data confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP) and situational factors, the effect of these manipulations is to reset nonces and replay counters and ultimately to reinstall session keys. Key reuse facilitates arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames. The following CVE IDs have been assigned to document these vulnerabilities in the WPA2 protocol: CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake CVE-2017-13078: reinstallation of the group key in the Four-way handshake CVE-2017-13079: reinstallation of the integrity group key in the Four-wayhandshake CVE-2017-13080: reinstallation of the group key in the Group Key handshake CVE-2017-13081: reinstallation of the integrity group key in the GroupKey handshake CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame For a detailed description of these issues, refer to the researcher's website and paper. Impact An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used. Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames. Solution Install Updates The WPA2 protocol is ubiquitous in wireless networking. The vulnerabilities described here are in the standard itself as opposed to individual implementations thereof; as such, any correct implementation is likely affected. Users are encouraged to install updates to affected products and hosts as they are available. For information about a specific vendor or product, check the Vendor Information section of this document or contact the vendor directly. Note that the vendor list below is not exhaustive. Vendor Status Date Notified Date Updated Aruba Networks Affected 28 Aug 2017 09 Oct 2017 Cisco Affected 28 Aug 2017 16 Oct 2017 Espressif Systems Affected 22 Sep 2017 13 Oct 2017 Fortinet, Inc. Affected 28 Aug 2017 16 Oct 2017 FreeBSD Project Affected 28 Aug 2017 12 Oct 2017 Google Affected 28 Aug 2017 16 Oct 2017 HostAP Affected 30 Aug 2017 16 Oct 2017 Intel Corporation Affected 28 Aug 2017 10 Oct 2017 Juniper Networks Affected 28 Aug 2017 16 Oct 2017 Microchip Technology Affected 28 Aug 2017 16 Oct 2017 Microsoft Corporation Affected 28 Aug 2017 16 Oct 2017 OpenBSD Affected 28 Aug 2017 16 Oct 2017 Peplink Affected 28 Aug 2017 16 Oct 2017 Red Hat, Inc. Affected 28 Aug 2017 04 Oct 2017 Samsung Mobile Affected 28 Aug 2017 12 Oct 2017 CVSS Metrics (Learn More) Group Score Vector Base 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P Temporal 4.9 E:POC/RL:ND/RC:C Environmental 5.7 CDP:ND/TD:H/CR:H/IR:H/AR:ND References https://cwe.mitre.org/data/definitions/323.html https://www.krackattacks.com/ https://papers.mathyvanhoef.com/ccs2017.pdf Credit Thanks to Mathy Vanhoef of the imec-DistriNet group at KU Leuven for reporting these vulnerabilities. Mathy thanks John A. Van Boxtel for finding that wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077. The CERT/CC also thanks ICASI for their efforts to facilitate vendor collaboration on addressing these vulnerabilities. This document was written by Joel Land. Other Information CVE IDs: CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13084 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 Date Public: 16 Oct 2017 Date First Published: 16 Oct 2017 Date Last Updated: 16 Oct 2017 Document Revision: 81 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWeU6jox+lLeg9Ub1AQj0bw/6A1TigxtUxyeIJS/bQkcS6/7sjPYn4IMZ LXvoJOyJ4ZC+l2CMTkOKvlUTFDtBqpP5+PXExr34iVJXt2WrHCGnzRSGXRUPpDN+ 9ZxLbmYmgH8jeHLvmgVLkt+vfJ3+gVtBwAMg03W8zKesQ58NXgnUSamvFqfBa6xz OhJMdm8R+hP9g/OOZtuqZCr7vpV8WZ4UbKUJoWcWPOIELQaubutlnnUZT9sSJhre cZ+s5OBrv3STOsHGZU1uTHnqBUBuU3gU/HDaoNvWTAK1Eoq7jBcq9vaCsehpgjFy qYt1OQFpdXYh5+fq3hd25CyasuDAeh0Kf72+59hX/szp0uttMTMs0coRajYlk5bh O3u9FeVBC8Yp0BxIiHYSnDUc4Hkas49w76cuhYZb3lpHShV18P/Zaxd2NVd1v6VS XdDO5JoIARhTOGUP9JSlKbUqzEgLGATsrussVkwFfVQV+A7iwvNkDqbFVVxRaRlf bKwty87I15cTgLVxFhITEsfXza3pCbMrU8HdzrH4ABp9jp+jkLWGkHc7GLWjMet0 4+OEJLdhzfuG1WhHHeo+bXFWx9U6xitBYmh2PiOw1vAW4bhnLVouGkd6VTmehYyz 87d6PipZOz8r/sm7mVnqtg/RdwtZ01LHMVkjNIu2MBQK0050KTTpOy2xyIYSkn63 k23DhBPqmec= =AYyz -----END PGP SIGNATURE-----