Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2603
CVE-2017-13080 | Windows Wireless WPA Group Key
Reinstallation Vulnerability
17 October 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows
Publisher: Microsoft
Operating System: Windows
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-13080
Reference: ESB-2017.2600
ESB-2017.2599
Original Bulletin:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080
- --------------------------BEGIN INCLUDED TEXT--------------------
CVE-2017-13080 | Windows Wireless WPA Group Key Reinstallation Vulnerability
Security Vulnerability
Published: 10/16/2017
MITRE CVE-2017-13080
A spoofing vulnerability exists in the Windows implementation of wireless
networking. An attacker who successfully exploited this vulnerability
could potentially replay broadcast and/or multicast traffic to hosts on
a WPA or WPA 2-protected wireless network.
Multiple conditions would need to be met in order for an attacker to
exploit the vulnerability - the attacker would need to be within the
physical proximity of the targeted user, and the user's computer would
need to have wireless networking enabled. The attacker would then need
to execute a man-in-the-middle (MitM) attack to intercept traffic between
the target computer and wireless access point.
The security update addresses the vulnerability by changing how Windows
verifies wireless group key handshakes.
Exploitability Assessment
The following table provides an exploitability assessment for this
vulnerability at the time of original publication.
Publicly Disclosed Exploited Latest Software Release Older Software Release Denial of Service
No No 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not Applicable
Affected Products
The following software versions or editions are affected. Versions or editions
that are not listed are either past their support life cycle or are not
affected. To determine the support life cycle for your software version or
edition, see the Microsoft Support Lifecycle.
Product Platform Article Download Impact Severity
Supersedence
Security
Windows 10 for 4042895 Update Spoofing Important 4038781
32-bit Systems 4042895 Security
Update
Security
Windows 10 for 4042895 Update Spoofing Important 4038781
x64-based Systems 4042895 Security
Update
Windows 10 Version Security
1511 for 32-bit 4041689 Update Spoofing Important 4038783
Systems 4041689 Security
Update
Windows 10 Version Security
1511 for x64-based 4041689 Update Spoofing Important 4038783
Systems 4041689 Security
Update
Windows 10 Version Security
1607 for 32-bit 4041691 Update Spoofing Important 4038782
Systems 4041691 Security
Update
Windows 10 Version Security
1607 for x64-based 4041691 Update Spoofing Important 4038782
Systems 4041691 Security
Update
Windows 10 Version Security
1703 for 32-bit 4041676 Update Spoofing Important 4038788
Systems 4041676 Security
Update
Windows 10 Version Security
1703 for x64-based 4041676 Update Spoofing Important 4038788
Systems 4041676 Security
Update
Monthly
4041681 Rollup
Windows 7 for 32-bit 4041681 Monthly
Systems Service Pack Rollup Spoofing Important 4038777
1 Security
4041678 Only
4041678 Security
Only
Monthly
4041681 Rollup
Windows 7 for 4041681 Monthly
x64-based Systems Rollup Spoofing Important 4038777
Service Pack 1 Security
4041678 Only
4041678 Security
Only
Monthly
4041693 Rollup
4041693 Monthly
Windows 8.1 for Rollup Spoofing Important 4038792
32-bit systems Security
4041687 Only
4041687 Security
Only
Monthly
4041693 Rollup
4041693 Monthly
Windows 8.1 for Rollup Spoofing Important 4038792
x64-based systems Security
4041687 Only
4041687 Security
Only
Monthly
Windows RT 8.1 4041693 Rollup Spoofing Important 4038792
4041693 Monthly
Rollup
Windows Server 2008 Security
for 32-bit Systems 4042723 Update Spoofing Important
Service Pack 2 4042723 Security
Update
Windows Server 2008 Security
for 32-bit Systems 4042723 Update
Service Pack 2 4042723 Security Spoofing Important
(Server Core Update
installation)
Windows Server 2008 Security
for x64-based 4042723 Update Spoofing Important
Systems Service Pack 4042723 Security
2 Update
Windows Server 2008 Security
for x64-based 4042723 Update
Systems Service Pack 4042723 Security Spoofing Important
2 (Server Core Update
installation)
Monthly
4041681 Rollup
Windows Server 2008 4041681 Monthly
R2 for Itanium-Based Rollup Spoofing Important 4038777
Systems Service Pack Security
1 4041678 Only
4041678 Security
Only
Monthly
4041681 Rollup
Windows Server 2008 4041681 Monthly
R2 for x64-based Rollup Spoofing Important 4038777
Systems Service Pack Security
1 4041678 Only
4041678 Security
Only
Monthly
Windows Server 2008 4041681 Rollup
R2 for x64-based 4041681 Monthly
Systems Service Pack Rollup Spoofing Important 4038777
1 (Server Core Security
installation) 4041678 Only
4041678 Security
Only
Monthly
4041690 Rollup
4041690 Monthly
Windows Server 2012 Rollup Spoofing Important 4038799
Security
4041679 Only
4041679 Security
Only
Monthly
4041690 Rollup
Windows Server 2012 4041690 Monthly
(Server Core Rollup Spoofing Important 4038799
installation) Security
4041679 Only
4041679 Security
Only
Monthly
4041693 Rollup
4041693 Monthly
Windows Server 2012 Rollup Spoofing Important 4038792
R2 Security
4041687 Only
4041687 Security
Only
Monthly
4041693 Rollup
Windows Server 2012 4041693 Monthly
R2 (Server Core Rollup Spoofing Important 4038792
installation) Security
4041687 Only
4041687 Security
Only
Security
Windows Server 2016 4041691 Update Spoofing Important 4038782
4041691 Security
Update
Windows Server 2016 Security
(Server Core 4041691 Update Spoofing Important 4038782
installation) 4041691 Security
Update
CVSS Score
The following software versions or editions that are affected have been scored
against this vulnerability. Please read the CVSS standards guide to fully
understand how CVSS vulnerabilities are scored, and how to interpret CVSS
scores.
Mitigations
tform Scores Vector
Base Temporal String Environmental
CVSS:3.0/AV:A/
Windows 10 for 32-bit Systems AC:H/PR:N/UI:N
Windows 10 for 32-bit Systems 4.2 3.8 0 /S:U/C:N/I:L/
A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows 10 for x64-based Systems AC:H/PR:N/UI:N
Windows 10 for x64-based Systems 4.2 3.8 0 /S:U/C:N/I:L/
A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows 10 Version 1511 for 32-bit AC:H/PR:N/UI:N
Systems Windows 10 Version 1511 4.2 3.8 0 /S:U/C:N/I:L/
for 32-bit Systems A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows 10 Version 1511 for AC:H/PR:N/UI:N
x64-based Systems Windows 10 4.2 3.8 0 /S:U/C:N/I:L/
Version 1511 for x64-based Systems A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows 10 Version 1607 for 32-bit AC:H/PR:N/UI:N
Systems Windows 10 Version 1607 4.2 3.8 0 /S:U/C:N/I:L/
for 32-bit Systems A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows 10 Version 1607 for AC:H/PR:N/UI:N
x64-based Systems Windows 10 4.2 3.8 0 /S:U/C:N/I:L/
Version 1607 for x64-based Systems A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows 10 Version 1703 for 32-bit AC:H/PR:N/UI:N
Systems Windows 10 Version 1703 4.2 3.8 0 /S:U/C:N/I:L/
for 32-bit Systems A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows 10 Version 1703 for AC:H/PR:N/UI:N
x64-based Systems Windows 10 4.2 3.8 0 /S:U/C:N/I:L/
Version 1703 for x64-based Systems A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows 7 for 32-bit Systems AC:H/PR:N/UI:N
Service Pack 1 Windows 7 for 4.2 3.8 0 /S:U/C:N/I:L/
32-bit Systems Service Pack 1 A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows 7 for x64-based Systems AC:H/PR:N/UI:N
Service Pack 1 Windows 7 for 4.2 3.8 0 /S:U/C:N/I:L/
x64-based Systems Service Pack 1 A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows 8.1 for 32-bit systems AC:H/PR:N/UI:N
Windows 8.1 for 32-bit systems 4.2 3.8 0 /S:U/C:N/I:L/
A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows 8.1 for x64-based systems AC:H/PR:N/UI:N
Windows 8.1 for x64-based systems 4.2 3.8 0 /S:U/C:N/I:L/
A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
AC:H/PR:N/UI:N
Windows RT 8.1 Windows RT 8.1 4.2 3.8 0 /S:U/C:N/I:L/
A:L/E:P/RL:O/
RC:C
Windows Server 2008 for 32-bit CVSS:3.0/AV:A/
Systems Service Pack 2 Windows AC:H/PR:N/UI:N
Server 2008 for 32-bit Systems 4.2 3.8 0 /S:U/C:N/I:L/
Service Pack 2 A:L/E:P/RL:O/
RC:C
Windows Server 2008 for 32-bit CVSS:3.0/AV:A/
Systems Service Pack 2 (Server AC:H/PR:N/UI:N
Core installation) Windows Server 4.2 3.8 0 /S:U/C:N/I:L/
2008 for 32-bit Systems Service A:L/E:P/RL:O/
Pack 2 (Server Core installation) RC:C
Windows Server 2008 for x64-based CVSS:3.0/AV:A/
Systems Service Pack 2 Windows AC:H/PR:N/UI:N
Server 2008 for x64-based Systems 4.2 3.8 0 /S:U/C:N/I:L/
Service Pack 2 A:L/E:P/RL:O/
RC:C
Windows Server 2008 for x64-based CVSS:3.0/AV:A/
Systems Service Pack 2 (Server AC:H/PR:N/UI:N
Core installation) Windows Server 4.2 3.8 0 /S:U/C:N/I:L/
2008 for x64-based Systems Service A:L/E:P/RL:O/
Pack 2 (Server Core installation) RC:C
Windows Server 2008 R2 for CVSS:3.0/AV:A/
Itanium-Based Systems Service Pack AC:H/PR:N/UI:N
1 Windows Server 2008 R2 for 4.2 3.8 0 /S:U/C:N/I:L/
Itanium-Based Systems Service Pack A:L/E:P/RL:O/
1 RC:C
Windows Server 2008 R2 for CVSS:3.0/AV:A/
x64-based Systems Service Pack 1 AC:H/PR:N/UI:N
Windows Server 2008 R2 for 4.2 3.8 0 /S:U/C:N/I:L/
x64-based Systems Service Pack 1 A:L/E:P/RL:O/
RC:C
Windows Server 2008 R2 for CVSS:3.0/AV:A/
x64-based Systems Service Pack 1 AC:H/PR:N/UI:N
(Server Core installation) Windows 4.2 3.8 0 /S:U/C:N/I:L/
Server 2008 R2 for x64-based A:L/E:P/RL:O/
Systems Service Pack 1 (Server RC:C
Core installation)
CVSS:3.0/AV:A/
Windows Server 2012 Windows Server AC:H/PR:N/UI:N
2012 4.2 3.8 0 /S:U/C:N/I:L/
A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows Server 2012 (Server Core AC:H/PR:N/UI:N
installation) Windows Server 2012 4.2 3.8 0 /S:U/C:N/I:L/
(Server Core installation) A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows Server 2012 R2 Windows AC:H/PR:N/UI:N
Server 2012 R2 4.2 3.8 0 /S:U/C:N/I:L/
A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows Server 2012 R2 (Server AC:H/PR:N/UI:N
Core installation) Windows Server 4.2 3.8 0 /S:U/C:N/I:L/
2012 R2 (Server Core installation) A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows Server 2016 Windows Server AC:H/PR:N/UI:N
2016 4.2 3.8 0 /S:U/C:N/I:L/
A:L/E:P/RL:O/
RC:C
CVSS:3.0/AV:A/
Windows Server 2016 (Server Core AC:H/PR:N/UI:N
installation) Windows Server 2016 4.2 3.8 0 /S:U/C:N/I:L/
(Server Core installation) A:L/E:P/RL:O/
RC:C
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
FAQ
When did Microsoft release the security updates to address this
vulnerability?
Microsoft released security updates on October 10, 2017 as part of
Update Tuesday to resolve this vulnerability in all affected editions of
Windows. Customers who have Windows Update enabled and who applied the
latest security updates are protected automatically. The Security Update
Guide was updated on October 16, 2017 to provide full disclosure on this
vulnerability in accordance with a multi-vendor coordinated disclosure.
Why did Microsoft delay the disclosure of this vulnerability until October
16, 2017?
Microsoft updated quickly to protect customers as soon as possible, but as
a responsible industry partner and to protect customers also using other
platforms, we abided by coordinated vulnerability disclosure principles
and withheld disclosure until other vendors could develop and release
their own updates.
What is the scope of this multi-vendor coordinated vulnerability disclosure?
In partnership with the International Consortium for Advancement of
Cybersecurity on the Internet (ICASI), Microsoft participated in a
multi-vendor coordinated disclosure to acknowledge and describe several
Wi-Fi Protected Access (WPA) Vulnerabilities. The vulnerabilities
affect multiple platforms, devices, and drivers from partners across
the industry, and ICASI is tracking the overall disclosure to provide
background, guidance, and links to individual vendor documentation. The
ICASI Multi-Vendor Vulnerability Disclosure statement can be found at this
link: http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities
Does this security update fully address these vulnerabilities on Microsoft
Platforms, or do I need to perform any additional steps to be fully
protected?
The provided security updates address the reported vulnerabilities;
however, when affected Windows based systems enter a connected standby
mode in low power situations, the vulnerable functionality may be
offloaded to installed Wi-Fi hardware. To fully address potential
vulnerabilities, you are also encouraged to contact your Wi-Fi
hardware vendor to obtain updated device drivers. For a listing
of affected vendors with links to their documentation, review
the ICASI Multi-Vendor Vulnerability Disclosure statement here:
http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities
Is this vulnerability related to Microsoft Security Advisory ADV170016?
Yes, the Windows Server 2008 platform requires individual update packages, so
Microsoft released the advisory on October 10, 2017 to ensure its inclusion
within the standard deployment tools, and to encourage customers to apply
the update without impacting the multi-vendor disclosure.
How can an attacker exploit this vulnerability?
An attacker could potentially execute a man-in-the-middle attack to intercept
traffic between the target computer and wireless access point. However,
multiple conditions would first need to be met - the attacker would need
to be within the physical proximity of the targeted user, and the user's
computer would need to have wireless networking enabled.
Have there been any active attacks detected?
No. When this security advisory was issued, Microsoft had not received any
information to indicate that this vulnerability had been publicly used to
attack customers.
Acknowledgments
Mathy Vanhoef (@vanhoefm) of imec-DistriNet, KU Leuven
See acknowledgments for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWeV2uYx+lLeg9Ub1AQg9tg//abBGmVrlYDQXWMJGu/0eGk4p6e9bzzRh
kTHUFH5aNkMYcydDWDVflL6S/Z9BS/pbZSuHI96gPYd2v1U2UDCiKhHULzr09fS4
S+SW5VofYLlbnJSizk2AH12ifVRR3yEpVVbpj9w4ph9+u3sf10fsevD4+Mmlc4Hy
MsbBN0R1fGvhwcaN7zRUDG0hLhUyZ4Rl1r608MuoP42oYJjDgAExGlxkZSZPThIU
Z0oAJdS4/v6/7rLUlnM4hvLG990cuO4RXq25cvb+nvXLVZXvsN0wzehd4ttpvlCY
AuheUxe+UrTwX6QWHNnOtm4NKB3aLMRzcC4d2fYCfC1WGbCe+jbQYT1mRAma/md3
YZDRiKdBlEaG4EIgrad4ZUGlJuVQ4Vh20TTReN2Y632Mg1iN2EnGFHmpTeKLfxF1
cKGQgkzH3S9mddeJ/Gp6SMpkQyUqtFKl8kzR0ukeCQzpEKuS0Zx10AiwxGusX0FB
cFShNkgp6kBz1cBkDJoZijJb8kaGXFbHq4qsHFbEfBFPU1wAg/LZFjyCA/YFjmDe
Rs8rYFLSN+ItX7RpoRXKBslhdoPuaGtny2oOPehgCDqW/DSnZxwNW+ONi8UtyGAl
yZRHyrnR6r6vy5yxP2ZZWyLmFbw+IDNrPpXCKf6WXtKoS+r57gIkvJlQ0QQRxV02
6Bh/hMBVzlg=
=4uXM
-----END PGP SIGNATURE-----