CERT/CC Vulnerability Note VU#228519

Overview

Wi-Fi Protected Access (WPA, more commonly WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks.

Description

CWE-323: Reusing a Nonce, Key Pair in Encryption

Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a victim wireless access point (AP) or client. After establishing a man-in-the-middle position between an AP and client, an attacker can selectively manipulate the timing and transmission of messages in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence reception or retransmission of messages. Depending on the data confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP) and situational factors, the effect of these manipulations is to reset nonces and replay counters and ultimately to reinstall session keys. Key reuse facilitates arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.

The following CVE IDs have been assigned to document these vulnerabilities in the WPA2 protocol:

CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078: reinstallation of the group key in the Four-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake
CVE-2017-13080: reinstallation of the group key in the Group Key handshake
CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake
CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it
CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

For a detailed description of these issues, refer to the researcher's website and paper.

Impact

An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used. Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.

Solution

Install Updates

The WPA2 protocol is ubiquitous in wireless networking. The vulnerabilities described here are in the standard itself as opposed to individual implementations thereof; as such, any correct implementation is likely affected. Users are encouraged to install updates to affected products and hosts as they are available. For information about a specific vendor or product, check the Vendor Information section of this document or contact the vendor directly. Note that the vendor list below is not exhaustive.

Vendor Information

228519

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

9front Affected

ADTRAN Affected

AVM GmbH Affected

Actiontec Affected

Aerohive Affected

Alcatel-Lucent Enterprise Affected

Android Open Source Project Affected

Apple Affected

Arch Linux Affected

Aruba Networks Affected

AsusTek Computer Inc. Affected

Notified: August 28, 2017 Updated: October 19, 2017

Status

Affected

Vendor Statement

10/18/2017 Security advisory for the vulnerabilities of WPA2 protocol

ASUS is aware of the recent WPA2 vulnerability issue. We take your security and privacy seriously and are currently working towards a full solution as quickly as possible. In the meantime, we want to help clarify the severity of the potential threat, and let our valued customers know the appropriate steps to take in order to avoid or lessen the threat of being compromised.

Your devices are only vulnerable if an attacker is in physical proximity to your wireless network and is able to gain access to it. This exploit cannot steal your banking information, passwords, or other data on a secured connection that utilizes proper end-to-end encryption. However, an attacker could capture and read this information on an unsecured connection via an exploited WiFi network. Depending on the network configuration, it is also possible for the attacker to redirect network traffic, send invalid data to devices or even inject malware into the network.

We are feverishly working with chipset suppliers to resolve this vulnerability and will release patched firmware for affected routers in the near future. Before this patched firmware is released, here are a few cautions all users should take:

(1) Avoid public Wi-Fi and Hotspots until the routers and your devices are updated. Use cellular network connections if possible.
(2) Only connect to secured services that you trust or have been verified. Web pages that use HTTPS or another secure connection will include HTTPS in the URL. If the connection is secured using TLS 1.2 your activities with that service is safe for now.
(3) Keep your operating system and antivirus software up-to-date. Microsoft recently updated Windows to fix this exploit on their latest operating systems. Google and Apple are following suit shortly.
(4) When in doubt, be safe and use your cellular network or a wired connection (Ethernet) to access the internet. This exploit only affects 802.11 traffic between a Wi-Fi router and a connected device on an exploited WiFi connection.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/

Barracuda Networks Affected

Notified: August 28, 2017 Updated: October 24, 2017

Statement Date: October 19, 2017

Status

Affected

Vendor Statement

On October 16th, 2017, a research paper with the title of "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" was made publicly available. This paper discusses seven vulnerabilities affecting session key negotiation in both the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access II (WPA2) protocols. These vulnerabilities may allow the reinstallation of a pairwise transient key, a group key, or an integrity key on either a wireless client or a wireless access point. Additional research also led to the discovery of three additional vulnerabilities (not discussed in the original paper) affecting wireless supplicant supporting either the 802.11z (Extensions to Direct-Link Setup) standard or the 802.11v (Wireless Network Management) standard. The three additional vulnerabilities could also allow the reinstallation of a pairwise key, group key, or integrity group key.

Risk Rating: High

Affected Products: Our investigations indicate that currently only Barracuda NextGen Firewall Wi-Fi Models used under Wi-Fi Client mode are affected:

F101

F201

F301

F80

F82.DSLA

F82.DSLB

F180

F183

F280

FSC1

Vendor Information

October 18, 2017: Hotfixes have been made available. We do recommend to
update your systems also in case the firewall is used under Access Point mode.

Fixed Vulnerabilities:

CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

Hotfix information and download for firmware 6.2.x

Hotfix information and download for firmware 7.0.x

Hotfix information and download for firmware 7.1.x

Vendor References

https://community.barracudanetworks.com/forum/index.php?/topic/23525-security-advisories/page-2#entry84537

Broadcom Affected

Cambium Networks Affected

CentOS Affected

Cisco Affected

Cradlepoint Affected

Cypress Semiconductor Affected

D-Link Systems, Inc. Affected

Debian GNU/Linux Affected

Dell Affected

Digi International Affected

DrayTek Corporation Affected

Edimax Computer Company Affected

EnGenius Affected

Endian Affected

Espressif Systems Affected

Extreme Networks Affected

F-Secure Corporation Affected

Fedora Project Affected

Fortinet, Inc. Affected

FreeBSD Project Affected

Gentoo Linux Affected

Google Affected

Hewlett Packard Enterprise Affected

HostAP Affected

IPFire Project Affected

Intel Corporation Affected

Juniper Networks Affected

LANCOM Systems GmbH Affected

LEDE Project Affected

LIFX Affected

Lenovo Affected

Microchip Technology Affected

Microsoft Corporation Affected

Mojo Networks Affected

Nest Affected

NetBSD Affected

Netgear, Inc. Affected

OPNsense Affected

OmniROM Affected

Open Mesh Affected

OpenBSD Affected

Peplink Affected

Red Hat, Inc. Affected

Riverbed Technologies Affected

Rockwell Automation Affected

Ruckus Wireless Affected

SUSE Linux Affected

Samsung Mobile Affected

Sierra Wireless Affected

Slackware Linux Inc. Affected

Sonos Affected

Sony Corporation Affected

Sophos, Inc. Affected

Synology Affected

TP-LINK Affected

Technicolor Affected

Updated: October 19, 2017

Statement Date: October 18, 2017

Status

Affected

Vendor Statement

By making use of a model-based approach, researchers from K.U Leuven University have identified several theoretical flaws in the Wi-Fi Protected Acess (WPA) protocol. These weaknesses constitute a new class of attack on the 4-way handshake used in all flavors of WPA/WPA2, named KRACK: Key Reinstallation AttaCK.

This academic research presents an industry-wide issue as all products implementing Wi-Fi are theoretically vulnerable.

In practice, no gateway or modem manufactured by Technicolor, implementing WiFi Access point routing function is affected by this class of attack. This is due to the fact that the vulnerable function allowing practical attack against the Access Point is not present. The end users should continue to use their Technicolor gateway or modem without changing WPA2 settings. In particular, none of these attacks is able to retrieve the WPA private passphrase. This recommendation is also valid for the legacy Thomson and Cisco branded gateways and modems.

The 802.11r standard makes use of a 4-way handshake protocol that was mathematically proven secure by the scientific community. Yet, the research publication exhibits weaknesses in some implementations of this protocol, that can affect the way the client connects to the Access point. For Access Points, the operational impact is very limited. Gateways and modems configured as Wi-Fi Access Point are not potentially concerned, except when supporting Fast BSS Transition handshake introduced with 802.11r standard. Fast BSS Transition handshake is usually not supported on residential gateways and modems, because this feature is intended to minimize roaming time between several access points in a managed network.

Technicolor works constantly to improve security of its products, alongside with the Wi-Fi Alliance. Technicolor remains committed to provide efficient support to its customers and end-users.

Our detailed security bulletins remain reserved for our customers. Customers can contact their Technicolor Customer Technical Support.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Texas Instruments Affected

Toshiba Commerce Solutions Affected

Toshiba Electronic Devices & Storage Corporation Affected

Toshiba Memory Corporation Affected

Notified: August 28, 2017 Updated: October 16, 2017

Statement Date: October 16, 2017

Status

Affected

Vendor Statement

Product 1: FlashAir

SDHC/SDXC Memory Card with embedded wireless LAN functionality FlashAir may have a security vulnerability related to the generation and management of WPA2 key (for general customers)
http://www.toshiba-personalstorage.net/news/20171017.htm

SDHC/SDXC Memory Card with embedded wireless LAN functionality FlashAir may have a security vulnerability related to the generation and management of WPA2 key (for enterprises and users of the website for developers ESC $B! H E S C (B F l a s h A i r D e v e l o p e r s E S C$ B!IESC(B)
https://www.toshiba-memory.co.jp/en/company/news/20171017-1.html

Product 2: CANVIO AeroMobile

VULNERABILITY FOUND RELATED TO THE GENERATION AND MANAGEMENT OF WPA2 KEY
http://support.toshiba.com/support/staticContentDetail?contentId=4015875&isFromTOCLink=false

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Turris Omnia Affected

Ubiquiti Networks Affected

Ubuntu Affected

Volumio Affected

Watchguard Technologies, Inc. Affected

Xiaomi Affected

Xirrus Affected

Zebra Technologies Affected

ZyXEL Affected

dd-wrt Affected

eero Affected

pfSENSE Affected

Arista Networks, Inc. Not Affected

Check Point Software Technologies Not Affected

Dell EMC Not Affected

F5 Networks, Inc. Not Affected

Internet Systems Consortium Not Affected

Internet Systems Consortium - DHCP Not Affected

MikroTik Not Affected

Notified: September 28, 2017 Updated: October 16, 2017

Statement Date: October 10, 2017

Status

Not Affected

Vendor Statement

On October 16. CERT/CC/ICASI released a public announcement about discovered vulnerabilities in WPA2 handshake protocols that affect most WiFi users and all vendors world wide.

RouterOS v6.39.3, v6.40.4, v6.41rc are not affected!
It is important to note that the vulnerability is discovered in the protocol itself, so even a correct implementation is affected.
These organizations did contact us earlier, so we have already released fixed versions that address the outlined issues. Not all of the discovered vulnerabilities directly impact RouterOS users, or even apply to RouterOS, but we did follow all recommendations and improved the key exchange process according to the guidelines we received from the organizations who discovered the issue.
We released fixed versions last week, so if you upgrade your devices routinely, no further action is required.
CWE-323
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13083
CVE-2017-13084
CVE-2017-13085
CVE-2017-13086
CVE-2017-13087

The following applies to RouterOS software prior to updates related to the issue.

nv2
nv2 is not affected in any way. This applies to both - nv2 AP and client. There is no nonce reset in key exchange possible and key re-installation is not possible, because nv2 key exchange does not directly follow 802.11 key exchange specification.

802.11 nonce reuse
RouterOS is not affected in any way, RouterOS generates cryptographically strong random initial nonce on boot and never reuses the same nonce during uptime.

802.11 key reinstallation
The device operating as client in key exchange is affected by this issue. This means that RouterOS in station modes and APs that establish WDS links with other APs are affected. RouterOS APs (both - standalone and CAPsMAN controlled), that do not establish WDS links with other APs, are not affected. Key reinstallation by resending key exchange frame allows attacker to reset encrypted frame packet counter. This allows attacker to replay frames that where previously sent by AP to client. Please note that RouterOS DOES NOT reset key to some known value that would allow attacker to inject/decrypt any frames to/from client.

Suggested course of action
It is always recommended to upgrade to latest RouterOS version, but depending on wireless protocol and mode the suggested course of action is as follows:
- nv2: no action necessary
- 802.11/nstreme AP without WDS: no action necessary
- CAPsMAN: no action necessary
- 802.11/nstreme client (all station modes) or AP with WDS: upgrade to fixed version ASAP.

Vendor Information

Though Mikrotik has self-identified as not affected, they have published updates that "improved WPA2 key exchange reliability" (see https://mikrotik.com/download/changelogs).

Vendor References

https://forum.mikrotik.com/viewtopic.php?f=21&t=126695#p623324

SonicWall Not Affected

VMware Not Affected

3com Inc Unknown

ACCESS Unknown

ARRIS Unknown

AT&T Unknown

Acer Unknown

Alpine Linux Unknown

Amazon Unknown

Atheros Communications, Inc. Unknown

Avaya, Inc. Unknown

Barnes and Noble Unknown

Belkin, Inc. Unknown

BlackBerry Unknown

Blue Coat Systems Unknown

Brocade Communication Systems Unknown

CA Technologies Unknown

CMX Systems Unknown

Contiki OS Unknown

CoreOS Unknown

DesktopBSD Unknown

Devicescape Unknown

DragonFly BSD Project Unknown

ENEA Unknown

EfficientIP SAS Unknown

Ericsson Unknown

European Registry for Internet Domains Unknown

Force10 Networks Unknown

Foundry Brocade Unknown

GNU adns Unknown

GNU glibc Unknown

HTC Unknown

HardenedBSD Unknown

Hitachi Unknown

Honeywell Unknown

Huawei Technologies Unknown

IBM, INC. Unknown

Infoblox Unknown

JH Software Unknown

Joyent Unknown

Kyocera Communications Unknown

LG Electronics Unknown

Lantronix Unknown

Lynx Software Technologies Unknown

Marvell Semiconductor Unknown

McAfee Unknown

MediaTek Unknown

Medtronic Unknown

Motorola, Inc. Unknown

NEC Corporation Unknown

NLnet Labs Unknown

Nexenta Unknown

Nokia Unknown

Nominum Unknown

OmniTI Unknown

OpenDNS Unknown

OpenIndiana Unknown

Openwall GNU/*/Linux Unknown

Oracle Corporation Unknown

Oryx Embedded Unknown

Philips Electronics Unknown

PowerDNS Unknown

Pulse Secure Unknown

QNX Software Systems Inc. Unknown

QUALCOMM Incorporated Unknown

Quadros Systems Unknown

Quantenna Communications Unknown

ReactOS Unknown

Redpine Signals Unknown

Rocket RTOS Unknown

SafeNet Unknown

Secure64 Software Corporation Unknown

SmoothWall Unknown

Snort Unknown

Sony Corporation Unknown

Sourcefire Unknown

Stryker Unknown

Symantec Unknown

TCPWave Unknown

TippingPoint Technologies Inc. Unknown

Tizen Unknown

TrueOS Unknown

Turbolinux Unknown

Unisys Unknown

Welch Allyn Unknown

Wind River Unknown

WizNET Technology Unknown

Xilinx Unknown

Zephyr Project Unknown

dnsmasq Unknown

gdnsd Unknown

m0n0wall Unknown

View all 183 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base	5.4	AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal	4.9	E:POC/RL:ND/RC:C
Environmental	5.7	CDP:ND/TD:H/CR:H/IR:H/AR:ND

References

Acknowledgements

Thanks to Mathy Vanhoef of the imec-DistriNet group at KU Leuven for reporting these vulnerabilities. Mathy thanks John A. Van Boxtel for finding that wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.The CERT/CC also thanks ICASI for their efforts to facilitate vendor collaboration on addressing these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
Date Public:	2017-10-16
Date First Published:	2017-10-16
Date Last Updated:	2017-11-16 16:37 UTC
Document Revision:	144

Software Engineering Institute

CERT Coordination Center

Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse

Vulnerability Note VU#228519

Overview

Description

Impact

Solution

Vendor Information

9front Affected

ADTRAN Affected

AVM GmbH Affected

Actiontec Affected

Aerohive Affected

Alcatel-Lucent Enterprise Affected

Android Open Source Project Affected

Apple Affected

Arch Linux Affected

Aruba Networks Affected

AsusTek Computer Inc. Affected

Barracuda Networks Affected

Broadcom Affected

Cambium Networks Affected

CentOS Affected

Cisco Affected

Cradlepoint Affected

Cypress Semiconductor Affected

D-Link Systems, Inc. Affected

Debian GNU/Linux Affected

Dell Affected

Digi International Affected

DrayTek Corporation Affected

Edimax Computer Company Affected

EnGenius Affected

Endian Affected

Espressif Systems Affected

Extreme Networks Affected

F-Secure Corporation Affected