Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2599
Wi-Fi Protected Access II (WPA2) handshake traffic can be
manipulated to induce nonce and session key reuse
17 October 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Wi-Fi Protected Access II (WPA2) devices
Publisher: CERT\CC
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Network Appliance
Mobile Device
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-13088 CVE-2017-13087 CVE-2017-13086
CVE-2017-13084 CVE-2017-13082 CVE-2017-13081
CVE-2017-13080 CVE-2017-13079 CVE-2017-13078
CVE-2017-13077
Original Bulletin:
https://www.kb.cert.org/vuls/id/228519
https://www.krackattacks.com/
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#228519
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to
induce nonce and session key reuse
Original Release date: 16 Oct 2017 | Last revised: 16 Oct 2017
Overview
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to
induce nonce and session key reuse, resulting in key reinstallation by a
wireless access point (AP) or client. An attacker within range of an affected
AP and client may leverage these vulnerabilities to conduct attacks that
are dependent on the data confidentiality protocols being used. Attacks may
include arbitrary packet decryption and injection, TCP connection hijacking,
HTTP content injection, or the replay of unicast and group-addressed frames.
Description
CWE-323: Reusing a Nonce, Key Pair in Encryption
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated
to induce nonce and session key reuse, resulting in key reinstallation
by a victim wireless access point (AP) or client. After establishing
a man-in-the-middle position between an AP and client, an attacker
can selectively manipulate the timing and transmission of messages
in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS)
Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK),
or Wireless Network Management (WNM) Sleep Mode handshakes, resulting
in out-of-sequence reception or retransmission of messages. Depending on
the data confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP) and
situational factors, the effect of these manipulations is to reset nonces
and replay counters and ultimately to reinstall session keys. Key reuse
facilitates arbitrary packet decryption and injection, TCP connection
hijacking, HTTP content injection, or the replay of unicast, broadcast,
and multicast frames.
The following CVE IDs have been assigned to document these vulnerabilities
in the WPA2 protocol:
CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078: reinstallation of the group key in the Four-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the Four-wayhandshake
CVE-2017-13080: reinstallation of the group key in the Group Key handshake
CVE-2017-13081: reinstallation of the integrity group key in the GroupKey handshake
CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it
CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
For a detailed description of these issues, refer to the researcher's
website and paper.
Impact
An attacker within the wireless communications range of an affected AP
and client may leverage these vulnerabilities to conduct attacks that
are dependent on the data confidentiality protocol being used. Impacts
may include arbitrary packet decryption and injection, TCP connection
hijacking, HTTP content injection, or the replay of unicast, broadcast,
and multicast frames.
Solution
Install Updates
The WPA2 protocol is ubiquitous in wireless networking. The vulnerabilities
described here are in the standard itself as opposed to individual
implementations thereof; as such, any correct implementation is likely
affected. Users are encouraged to install updates to affected products and
hosts as they are available. For information about a specific vendor or
product, check the Vendor Information section of this document or contact
the vendor directly. Note that the vendor list below is not exhaustive.
Vendor Status Date Notified Date Updated
Aruba Networks Affected 28 Aug 2017 09 Oct 2017
Cisco Affected 28 Aug 2017 16 Oct 2017
Espressif Systems Affected 22 Sep 2017 13 Oct 2017
Fortinet, Inc. Affected 28 Aug 2017 16 Oct 2017
FreeBSD Project Affected 28 Aug 2017 12 Oct 2017
Google Affected 28 Aug 2017 16 Oct 2017
HostAP Affected 30 Aug 2017 16 Oct 2017
Intel Corporation Affected 28 Aug 2017 10 Oct 2017
Juniper Networks Affected 28 Aug 2017 16 Oct 2017
Microchip Technology Affected 28 Aug 2017 16 Oct 2017
Microsoft Corporation Affected 28 Aug 2017 16 Oct 2017
OpenBSD Affected 28 Aug 2017 16 Oct 2017
Peplink Affected 28 Aug 2017 16 Oct 2017
Red Hat, Inc. Affected 28 Aug 2017 04 Oct 2017
Samsung Mobile Affected 28 Aug 2017 12 Oct 2017
CVSS Metrics (Learn More)
Group Score Vector
Base 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal 4.9 E:POC/RL:ND/RC:C
Environmental 5.7 CDP:ND/TD:H/CR:H/IR:H/AR:ND
References
https://cwe.mitre.org/data/definitions/323.html
https://www.krackattacks.com/
https://papers.mathyvanhoef.com/ccs2017.pdf
Credit
Thanks to Mathy Vanhoef of the imec-DistriNet group at KU Leuven for
reporting these vulnerabilities. Mathy thanks John A. Van Boxtel for
finding that wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.
The CERT/CC also thanks ICASI for their efforts to facilitate vendor
collaboration on addressing these vulnerabilities.
This document was written by Joel Land.
Other Information
CVE IDs: CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080
CVE-2017-13081 CVE-2017-13082 CVE-2017-13084 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088
Date Public: 16 Oct 2017
Date First Published: 16 Oct 2017
Date Last Updated: 16 Oct 2017
Document Revision: 81
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWeU6jox+lLeg9Ub1AQj0bw/6A1TigxtUxyeIJS/bQkcS6/7sjPYn4IMZ
LXvoJOyJ4ZC+l2CMTkOKvlUTFDtBqpP5+PXExr34iVJXt2WrHCGnzRSGXRUPpDN+
9ZxLbmYmgH8jeHLvmgVLkt+vfJ3+gVtBwAMg03W8zKesQ58NXgnUSamvFqfBa6xz
OhJMdm8R+hP9g/OOZtuqZCr7vpV8WZ4UbKUJoWcWPOIELQaubutlnnUZT9sSJhre
cZ+s5OBrv3STOsHGZU1uTHnqBUBuU3gU/HDaoNvWTAK1Eoq7jBcq9vaCsehpgjFy
qYt1OQFpdXYh5+fq3hd25CyasuDAeh0Kf72+59hX/szp0uttMTMs0coRajYlk5bh
O3u9FeVBC8Yp0BxIiHYSnDUc4Hkas49w76cuhYZb3lpHShV18P/Zaxd2NVd1v6VS
XdDO5JoIARhTOGUP9JSlKbUqzEgLGATsrussVkwFfVQV+A7iwvNkDqbFVVxRaRlf
bKwty87I15cTgLVxFhITEsfXza3pCbMrU8HdzrH4ABp9jp+jkLWGkHc7GLWjMet0
4+OEJLdhzfuG1WhHHeo+bXFWx9U6xitBYmh2PiOw1vAW4bhnLVouGkd6VTmehYyz
87d6PipZOz8r/sm7mVnqtg/RdwtZ01LHMVkjNIu2MBQK0050KTTpOy2xyIYSkn63
k23DhBPqmec=
=AYyz
-----END PGP SIGNATURE-----