Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2603 CVE-2017-13080 | Windows Wireless WPA Group Key Reinstallation Vulnerability 17 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Windows Publisher: Microsoft Operating System: Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-13080 Reference: ESB-2017.2600 ESB-2017.2599 Original Bulletin: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080 - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2017-13080 | Windows Wireless WPA Group Key Reinstallation Vulnerability Security Vulnerability Published: 10/16/2017 MITRE CVE-2017-13080 A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network. Multiple conditions would need to be met in order for an attacker to exploit the vulnerability - the attacker would need to be within the physical proximity of the targeted user, and the user's computer would need to have wireless networking enabled. The attacker would then need to execute a man-in-the-middle (MitM) attack to intercept traffic between the target computer and wireless access point. The security update addresses the vulnerability by changing how Windows verifies wireless group key handshakes. Exploitability Assessment The following table provides an exploitability assessment for this vulnerability at the time of original publication. Publicly Disclosed Exploited Latest Software Release Older Software Release Denial of Service No No 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not Applicable Affected Products The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle. Product Platform Article Download Impact Severity Supersedence Security Windows 10 for 4042895 Update Spoofing Important 4038781 32-bit Systems 4042895 Security Update Security Windows 10 for 4042895 Update Spoofing Important 4038781 x64-based Systems 4042895 Security Update Windows 10 Version Security 1511 for 32-bit 4041689 Update Spoofing Important 4038783 Systems 4041689 Security Update Windows 10 Version Security 1511 for x64-based 4041689 Update Spoofing Important 4038783 Systems 4041689 Security Update Windows 10 Version Security 1607 for 32-bit 4041691 Update Spoofing Important 4038782 Systems 4041691 Security Update Windows 10 Version Security 1607 for x64-based 4041691 Update Spoofing Important 4038782 Systems 4041691 Security Update Windows 10 Version Security 1703 for 32-bit 4041676 Update Spoofing Important 4038788 Systems 4041676 Security Update Windows 10 Version Security 1703 for x64-based 4041676 Update Spoofing Important 4038788 Systems 4041676 Security Update Monthly 4041681 Rollup Windows 7 for 32-bit 4041681 Monthly Systems Service Pack Rollup Spoofing Important 4038777 1 Security 4041678 Only 4041678 Security Only Monthly 4041681 Rollup Windows 7 for 4041681 Monthly x64-based Systems Rollup Spoofing Important 4038777 Service Pack 1 Security 4041678 Only 4041678 Security Only Monthly 4041693 Rollup 4041693 Monthly Windows 8.1 for Rollup Spoofing Important 4038792 32-bit systems Security 4041687 Only 4041687 Security Only Monthly 4041693 Rollup 4041693 Monthly Windows 8.1 for Rollup Spoofing Important 4038792 x64-based systems Security 4041687 Only 4041687 Security Only Monthly Windows RT 8.1 4041693 Rollup Spoofing Important 4038792 4041693 Monthly Rollup Windows Server 2008 Security for 32-bit Systems 4042723 Update Spoofing Important Service Pack 2 4042723 Security Update Windows Server 2008 Security for 32-bit Systems 4042723 Update Service Pack 2 4042723 Security Spoofing Important (Server Core Update installation) Windows Server 2008 Security for x64-based 4042723 Update Spoofing Important Systems Service Pack 4042723 Security 2 Update Windows Server 2008 Security for x64-based 4042723 Update Systems Service Pack 4042723 Security Spoofing Important 2 (Server Core Update installation) Monthly 4041681 Rollup Windows Server 2008 4041681 Monthly R2 for Itanium-Based Rollup Spoofing Important 4038777 Systems Service Pack Security 1 4041678 Only 4041678 Security Only Monthly 4041681 Rollup Windows Server 2008 4041681 Monthly R2 for x64-based Rollup Spoofing Important 4038777 Systems Service Pack Security 1 4041678 Only 4041678 Security Only Monthly Windows Server 2008 4041681 Rollup R2 for x64-based 4041681 Monthly Systems Service Pack Rollup Spoofing Important 4038777 1 (Server Core Security installation) 4041678 Only 4041678 Security Only Monthly 4041690 Rollup 4041690 Monthly Windows Server 2012 Rollup Spoofing Important 4038799 Security 4041679 Only 4041679 Security Only Monthly 4041690 Rollup Windows Server 2012 4041690 Monthly (Server Core Rollup Spoofing Important 4038799 installation) Security 4041679 Only 4041679 Security Only Monthly 4041693 Rollup 4041693 Monthly Windows Server 2012 Rollup Spoofing Important 4038792 R2 Security 4041687 Only 4041687 Security Only Monthly 4041693 Rollup Windows Server 2012 4041693 Monthly R2 (Server Core Rollup Spoofing Important 4038792 installation) Security 4041687 Only 4041687 Security Only Security Windows Server 2016 4041691 Update Spoofing Important 4038782 4041691 Security Update Windows Server 2016 Security (Server Core 4041691 Update Spoofing Important 4038782 installation) 4041691 Security Update CVSS Score The following software versions or editions that are affected have been scored against this vulnerability. Please read the CVSS standards guide to fully understand how CVSS vulnerabilities are scored, and how to interpret CVSS scores. Mitigations tform Scores Vector Base Temporal String Environmental CVSS:3.0/AV:A/ Windows 10 for 32-bit Systems AC:H/PR:N/UI:N Windows 10 for 32-bit Systems 4.2 3.8 0 /S:U/C:N/I:L/ A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows 10 for x64-based Systems AC:H/PR:N/UI:N Windows 10 for x64-based Systems 4.2 3.8 0 /S:U/C:N/I:L/ A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows 10 Version 1511 for 32-bit AC:H/PR:N/UI:N Systems Windows 10 Version 1511 4.2 3.8 0 /S:U/C:N/I:L/ for 32-bit Systems A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows 10 Version 1511 for AC:H/PR:N/UI:N x64-based Systems Windows 10 4.2 3.8 0 /S:U/C:N/I:L/ Version 1511 for x64-based Systems A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows 10 Version 1607 for 32-bit AC:H/PR:N/UI:N Systems Windows 10 Version 1607 4.2 3.8 0 /S:U/C:N/I:L/ for 32-bit Systems A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows 10 Version 1607 for AC:H/PR:N/UI:N x64-based Systems Windows 10 4.2 3.8 0 /S:U/C:N/I:L/ Version 1607 for x64-based Systems A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows 10 Version 1703 for 32-bit AC:H/PR:N/UI:N Systems Windows 10 Version 1703 4.2 3.8 0 /S:U/C:N/I:L/ for 32-bit Systems A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows 10 Version 1703 for AC:H/PR:N/UI:N x64-based Systems Windows 10 4.2 3.8 0 /S:U/C:N/I:L/ Version 1703 for x64-based Systems A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows 7 for 32-bit Systems AC:H/PR:N/UI:N Service Pack 1 Windows 7 for 4.2 3.8 0 /S:U/C:N/I:L/ 32-bit Systems Service Pack 1 A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows 7 for x64-based Systems AC:H/PR:N/UI:N Service Pack 1 Windows 7 for 4.2 3.8 0 /S:U/C:N/I:L/ x64-based Systems Service Pack 1 A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows 8.1 for 32-bit systems AC:H/PR:N/UI:N Windows 8.1 for 32-bit systems 4.2 3.8 0 /S:U/C:N/I:L/ A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows 8.1 for x64-based systems AC:H/PR:N/UI:N Windows 8.1 for x64-based systems 4.2 3.8 0 /S:U/C:N/I:L/ A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ AC:H/PR:N/UI:N Windows RT 8.1 Windows RT 8.1 4.2 3.8 0 /S:U/C:N/I:L/ A:L/E:P/RL:O/ RC:C Windows Server 2008 for 32-bit CVSS:3.0/AV:A/ Systems Service Pack 2 Windows AC:H/PR:N/UI:N Server 2008 for 32-bit Systems 4.2 3.8 0 /S:U/C:N/I:L/ Service Pack 2 A:L/E:P/RL:O/ RC:C Windows Server 2008 for 32-bit CVSS:3.0/AV:A/ Systems Service Pack 2 (Server AC:H/PR:N/UI:N Core installation) Windows Server 4.2 3.8 0 /S:U/C:N/I:L/ 2008 for 32-bit Systems Service A:L/E:P/RL:O/ Pack 2 (Server Core installation) RC:C Windows Server 2008 for x64-based CVSS:3.0/AV:A/ Systems Service Pack 2 Windows AC:H/PR:N/UI:N Server 2008 for x64-based Systems 4.2 3.8 0 /S:U/C:N/I:L/ Service Pack 2 A:L/E:P/RL:O/ RC:C Windows Server 2008 for x64-based CVSS:3.0/AV:A/ Systems Service Pack 2 (Server AC:H/PR:N/UI:N Core installation) Windows Server 4.2 3.8 0 /S:U/C:N/I:L/ 2008 for x64-based Systems Service A:L/E:P/RL:O/ Pack 2 (Server Core installation) RC:C Windows Server 2008 R2 for CVSS:3.0/AV:A/ Itanium-Based Systems Service Pack AC:H/PR:N/UI:N 1 Windows Server 2008 R2 for 4.2 3.8 0 /S:U/C:N/I:L/ Itanium-Based Systems Service Pack A:L/E:P/RL:O/ 1 RC:C Windows Server 2008 R2 for CVSS:3.0/AV:A/ x64-based Systems Service Pack 1 AC:H/PR:N/UI:N Windows Server 2008 R2 for 4.2 3.8 0 /S:U/C:N/I:L/ x64-based Systems Service Pack 1 A:L/E:P/RL:O/ RC:C Windows Server 2008 R2 for CVSS:3.0/AV:A/ x64-based Systems Service Pack 1 AC:H/PR:N/UI:N (Server Core installation) Windows 4.2 3.8 0 /S:U/C:N/I:L/ Server 2008 R2 for x64-based A:L/E:P/RL:O/ Systems Service Pack 1 (Server RC:C Core installation) CVSS:3.0/AV:A/ Windows Server 2012 Windows Server AC:H/PR:N/UI:N 2012 4.2 3.8 0 /S:U/C:N/I:L/ A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows Server 2012 (Server Core AC:H/PR:N/UI:N installation) Windows Server 2012 4.2 3.8 0 /S:U/C:N/I:L/ (Server Core installation) A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows Server 2012 R2 Windows AC:H/PR:N/UI:N Server 2012 R2 4.2 3.8 0 /S:U/C:N/I:L/ A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows Server 2012 R2 (Server AC:H/PR:N/UI:N Core installation) Windows Server 4.2 3.8 0 /S:U/C:N/I:L/ 2012 R2 (Server Core installation) A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows Server 2016 Windows Server AC:H/PR:N/UI:N 2016 4.2 3.8 0 /S:U/C:N/I:L/ A:L/E:P/RL:O/ RC:C CVSS:3.0/AV:A/ Windows Server 2016 (Server Core AC:H/PR:N/UI:N installation) Windows Server 2016 4.2 3.8 0 /S:U/C:N/I:L/ (Server Core installation) A:L/E:P/RL:O/ RC:C Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. FAQ When did Microsoft release the security updates to address this vulnerability? Microsoft released security updates on October 10, 2017 as part of Update Tuesday to resolve this vulnerability in all affected editions of Windows. Customers who have Windows Update enabled and who applied the latest security updates are protected automatically. The Security Update Guide was updated on October 16, 2017 to provide full disclosure on this vulnerability in accordance with a multi-vendor coordinated disclosure. Why did Microsoft delay the disclosure of this vulnerability until October 16, 2017? Microsoft updated quickly to protect customers as soon as possible, but as a responsible industry partner and to protect customers also using other platforms, we abided by coordinated vulnerability disclosure principles and withheld disclosure until other vendors could develop and release their own updates. What is the scope of this multi-vendor coordinated vulnerability disclosure? In partnership with the International Consortium for Advancement of Cybersecurity on the Internet (ICASI), Microsoft participated in a multi-vendor coordinated disclosure to acknowledge and describe several Wi-Fi Protected Access (WPA) Vulnerabilities. The vulnerabilities affect multiple platforms, devices, and drivers from partners across the industry, and ICASI is tracking the overall disclosure to provide background, guidance, and links to individual vendor documentation. The ICASI Multi-Vendor Vulnerability Disclosure statement can be found at this link: http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities Does this security update fully address these vulnerabilities on Microsoft Platforms, or do I need to perform any additional steps to be fully protected? The provided security updates address the reported vulnerabilities; however, when affected Windows based systems enter a connected standby mode in low power situations, the vulnerable functionality may be offloaded to installed Wi-Fi hardware. To fully address potential vulnerabilities, you are also encouraged to contact your Wi-Fi hardware vendor to obtain updated device drivers. For a listing of affected vendors with links to their documentation, review the ICASI Multi-Vendor Vulnerability Disclosure statement here: http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities Is this vulnerability related to Microsoft Security Advisory ADV170016? Yes, the Windows Server 2008 platform requires individual update packages, so Microsoft released the advisory on October 10, 2017 to ensure its inclusion within the standard deployment tools, and to encourage customers to apply the update without impacting the multi-vendor disclosure. How can an attacker exploit this vulnerability? An attacker could potentially execute a man-in-the-middle attack to intercept traffic between the target computer and wireless access point. However, multiple conditions would first need to be met - the attacker would need to be within the physical proximity of the targeted user, and the user's computer would need to have wireless networking enabled. Have there been any active attacks detected? No. When this security advisory was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. Acknowledgments Mathy Vanhoef (@vanhoefm) of imec-DistriNet, KU Leuven See acknowledgments for more information. Disclaimer The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWeV2uYx+lLeg9Ub1AQg9tg//abBGmVrlYDQXWMJGu/0eGk4p6e9bzzRh kTHUFH5aNkMYcydDWDVflL6S/Z9BS/pbZSuHI96gPYd2v1U2UDCiKhHULzr09fS4 S+SW5VofYLlbnJSizk2AH12ifVRR3yEpVVbpj9w4ph9+u3sf10fsevD4+Mmlc4Hy MsbBN0R1fGvhwcaN7zRUDG0hLhUyZ4Rl1r608MuoP42oYJjDgAExGlxkZSZPThIU Z0oAJdS4/v6/7rLUlnM4hvLG990cuO4RXq25cvb+nvXLVZXvsN0wzehd4ttpvlCY AuheUxe+UrTwX6QWHNnOtm4NKB3aLMRzcC4d2fYCfC1WGbCe+jbQYT1mRAma/md3 YZDRiKdBlEaG4EIgrad4ZUGlJuVQ4Vh20TTReN2Y632Mg1iN2EnGFHmpTeKLfxF1 cKGQgkzH3S9mddeJ/Gp6SMpkQyUqtFKl8kzR0ukeCQzpEKuS0Zx10AiwxGusX0FB cFShNkgp6kBz1cBkDJoZijJb8kaGXFbHq4qsHFbEfBFPU1wAg/LZFjyCA/YFjmDe Rs8rYFLSN+ItX7RpoRXKBslhdoPuaGtny2oOPehgCDqW/DSnZxwNW+ONi8UtyGAl yZRHyrnR6r6vy5yxP2ZZWyLmFbw+IDNrPpXCKf6WXtKoS+r57gIkvJlQ0QQRxV02 6Bh/hMBVzlg= =4uXM -----END PGP SIGNATURE-----