[lacnog] Vulnerability Note VU#228519

Lucimara Desiderá lucimara en cert.br
Lun Oct 16 14:55:49 BRST 2017


https://www.kb.cert.org/vuls/id/228519


Vulnerability Note VU#228519
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to
induce nonce and session key reuse

Original Release date: 16 Oct 2017 | Last revised: 16 Oct 2017
Print Document

Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to
induce nonce and session key reuse, resulting in key reinstallation by a
wireless access point (AP) or client. An attacker within range of an
affected AP and client may leverage these vulnerabilities to conduct
attacks that are dependent on the data confidentiality protocols being
used. Attacks may include arbitrary packet decryption and injection, TCP
connection hijacking, HTTP content injection, or the replay of unicast
and group-addressed frames.
Description

CWE-323: Reusing a Nonce, Key Pair in Encryption

Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to
induce nonce and session key reuse, resulting in key reinstallation by a
victim wireless access point (AP) or client. After establishing a
man-in-the-middle position between an AP and client, an attacker can
selectively manipulate the timing and transmission of messages in the
WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition,
PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless
Network Management (WNM) Sleep Mode handshakes, resulting in
out-of-sequence reception or retransmission of messages. Depending on
the data confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP)
and situational factors, the effect of these manipulations is to reset
nonces and replay counters and ultimately to reinstall session keys. Key
reuse facilitates arbitrary packet decryption and injection, TCP
connection hijacking, HTTP content injection, or the replay of unicast,
broadcast, and multicast frames.

The following CVE IDs have been assigned to document these
vulnerabilities in the WPA2 protocol:

    CVE-2017-13077: reinstallation of the pairwise key in the Four-way
handshake
    CVE-2017-13078: reinstallation of the group key in the Four-way
handshake
    CVE-2017-13079: reinstallation of the integrity group key in the
Four-way handshake
    CVE-2017-13080: reinstallation of the group key in the Group Key
handshake
    CVE-2017-13081: reinstallation of the integrity group key in the
Group Key handshake
    CVE-2017-13082: accepting a retransmitted Fast BSS Transition
Reassociation Request and reinstalling the pairwise key while processing it
    CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
    CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup
(TDLS) PeerKey (TPK) key in the TDLS handshake
    CVE-2017-13087: reinstallation of the group key (GTK) when
processing a Wireless Network Management (WNM) Sleep Mode Response frame
    CVE-2017-13088: reinstallation of the integrity group key (IGTK)
when processing a Wireless Network Management (WNM) Sleep Mode Response
frame


For a detailed description of these issues, refer to the researcher's
website and paper.

Impact

An attacker within the wireless communications range of an affected AP
and client may leverage these vulnerabilities to conduct attacks that
are dependent on the data confidentiality protocol being used. Impacts
may include arbitrary packet decryption and injection, TCP connection
hijacking, HTTP content injection, or the replay of unicast, broadcast,
and multicast frames.
Solution

Install Updates

The WPA2 protocol is ubiquitous in wireless networking. The
vulnerabilities described here are in the standard itself as opposed to
individual implementations thereof; as such, any correct implementation
is likely affected. Users are encouraged to install updates to affected
products and hosts as they are available. For information about a
specific vendor or product, check the Vendor Information section of this
document or contact the vendor directly. Note that the vendor list below
is not exhaustive.
Vendor Information (Learn More)
Vendor	Status	Date Notified	Date Updated
Aruba Networks	Affected	28 Aug 2017	09 Oct 2017
Cisco	Affected	28 Aug 2017	10 Oct 2017
Espressif Systems	Affected	22 Sep 2017	13 Oct 2017
Fortinet, Inc.	Affected	28 Aug 2017	16 Oct 2017
FreeBSD Project	Affected	28 Aug 2017	12 Oct 2017
HostAP	Affected	30 Aug 2017	16 Oct 2017
Intel Corporation	Affected	28 Aug 2017	10 Oct 2017
Juniper Networks	Affected	28 Aug 2017	28 Aug 2017
Microchip Technology	Affected	28 Aug 2017	16 Oct 2017
Red Hat, Inc.	Affected	28 Aug 2017	04 Oct 2017
Samsung Mobile	Affected	28 Aug 2017	12 Oct 2017
Toshiba Commerce Solutions	Affected	15 Sep 2017	13 Oct 2017
Toshiba Electronic Devices & Storage Corporation	Affected	28 Aug 2017	16
Oct 2017
Toshiba Memory Corporation	Affected	28 Aug 2017	16 Oct 2017
Ubiquiti Networks	Affected	28 Aug 2017	16 Oct 2017
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)
Group 	Score 	Vector
Base 	5.4 	AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal 	4.9 	E:POC/RL:ND/RC:C
Environmental 	5.7 	CDP:ND/TD:H/CR:H/IR:H/AR:ND
References

    https://cwe.mitre.org/data/definitions/323.html
    https://www.krackattacks.com/
    https://papers.mathyvanhoef.com/ccs2017.pdf

Credit

Thanks to Mathy Vanhoef of the imec-DistriNet group at KU Leuven for
reporting these vulnerabilities. Mathy thanks John A. Van Boxtel for
finding that wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.

The CERT/CC also thanks ICASI for their efforts to facilitate vendor
collaboration on addressing these vulnerabilities.

This document was written by Joel Land.
Other Information

    CVE IDs: CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080
CVE-2017-13081 CVE-2017-13082 CVE-2017-13084 CVE-2017-13086
CVE-2017-13087 CVE-2017-13088
    Date Public: 16 Oct 2017
    Date First Published: 16 Oct 2017
    Date Last Updated: 16 Oct 2017
    Document Revision: 69

Feedback

If you have feedback, comments, or additional information about this
vulnerability, please send us email.
Quick Search

Advanced Search »
View Notes By

    Date Published
    Date Public
    Date Updated
    CVSS Score

Report a Vulnerability

Report a VulnerabilityPlease use the Vulnerability Reporting Form to
report a vulnerability. Alternatively, you can send us email. Be sure to
read our vulnerability disclosure policy.
Connect with Us

    Subscribe to our feed
    Read the CERT/CC blog



Más información sobre la lista de distribución LACNOG