ID

VAR-201710-0207

CVE

CVE-2017-13080

TITLE

Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse

DESCRIPTION

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks. WPA (Wi-Fi Protected Access) is a system that protects wireless computer networks (Wi-Fi). 7) - x86_64 3. CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven Installation note: Firmware version 7.7.9 is installed on AirPort Extreme or AirPort Time Capsule base stations with 802.11ac using AirPort Utility for Mac or iOS. AirPort Utility for Mac is a free download from https://support.apple.com/downloads/ and AirPort Utility for iOS is a free download from the App Store. Those vulnerabilities applies to both the access point (implemented in hostapd) and the station (implemented in wpa_supplicant). An attacker exploiting the vulnerabilities could force the vulnerable system to reuse cryptographic session keys, enabling a range of cryptographic attacks against the ciphers used in WPA1 and WPA2. For the stable distribution (stretch), these problems have been fixed in version 2:2.4-1+deb9u1. For the testing distribution (buster), these problems have been fixed in version 2:2.4-1.1. For the unstable distribution (sid), these problems have been fixed in version 2:2.4-1.1. We recommend that you upgrade your wpa packages. ========================================================================== Ubuntu Security Notice USN-3455-1 October 16, 2017 wpa vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.04 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in wpa_supplicant. Software Description: - wpa: client support for WPA and WPA2 Details: Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly handled WPA2. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled invalid characters in passphrase parameters. A remote attacker could use this issue to cause a denial of service. (CVE-2016-4476) Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled invalid characters in passphrase parameters. A local attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2016-4477) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.04: hostapd 2.4-0ubuntu9.1 wpasupplicant 2.4-0ubuntu9.1 Ubuntu 16.04 LTS: hostapd 2.4-0ubuntu6.2 wpasupplicant 2.4-0ubuntu6.2 Ubuntu 14.04 LTS: hostapd 2.1-0ubuntu1.5 wpasupplicant 2.1-0ubuntu1.5 After a standard system update you need to reboot your computer to make all the necessary changes. CVE-2017-13804: @qwertyoruiopz at KJC Research Intl. S.R.L. CVE-2017-13785: Ivan Fratric of Google Project Zero CVE-2017-13784: Ivan Fratric of Google Project Zero CVE-2017-13783: Ivan Fratric of Google Project Zero CVE-2017-13788: xisigr of Tencent's Xuanwu Lab (tencent.com) CVE-2017-13798: Ivan Fratric of Google Project Zero CVE-2017-13795: Ivan Fratric of Google Project Zero CVE-2017-13802: Ivan Fratric of Google Project Zero CVE-2017-13792: Ivan Fratric of Google Project Zero CVE-2017-13794: Ivan Fratric of Google Project Zero CVE-2017-13791: Ivan Fratric of Google Project Zero CVE-2017-13796: Ivan Fratric of Google Project Zero CVE-2017-13793: Hanul Choi working with Trend Micro's Zero Day Initiative CVE-2017-13803: chenqin (ee|) of Ant-financial Light-Year Security Wi-Fi Available for: Apple TV 4K Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK) Description: A logic issue existed in the handling of state transitions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-12-13-7 Additional information for APPLE-SA-2017-12-6-4 tvOS 11.2 tvOS 11.2 addresses the following: IOSurface Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13861: Ian Beer of Google Project Zero Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13862: Apple CVE-2017-13876: Ian Beer of Google Project Zero CVE-2017-13867: Ian Beer of Google Project Zero Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2017-13833: Brandon Azad Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: A type confusion issue was addressed with improved memory handling. CVE-2017-13855: Jann Horn of Google Project Zero Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-13865: Ian Beer of Google Project Zero CVE-2017-13868: Brandon Azad CVE-2017-13869: Jann Horn of Google Project Zero WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7156: an anonymous researcher CVE-2017-7157: an anonymous researcher CVE-2017-13856: Jeonghoon Shin CVE-2017-13870: an anonymous researcher CVE-2017-13866: an anonymous researcher Entry added December 13, 2017 Wi-Fi Available for: Apple TV (4th generation) Released for Apple TV 4K in tvOS 11.1. This was addressed with improved state management. CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAloxpFopHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEYA7xAA rS/mqu8UXd7eap0Doz7R4W40l1/OOcvI4Y19Krifw4WdfO9+xN9zHDaOrFzWmzSw CQ55aclEgkk2CDGbuMmVtiKstFzZ2sBrRVygYx9wd1/u1eDpHINNglYVP0cMHeVl RUbrgLgysOkNG9z/ExRK2XrJg7bhcK2grY8wBRaBmIgtfD3u53iNbG1kkEQOBDC3 wfFcO7lZjTQ6k7Sq6dHB7wv0iwwNZKP7JpQ55g70De1dUy8YSecirD4ox2IFYw3m 95EWslKrhRzbX76Pnbqv5Kc9aUEuY4FHR+MuaeAF3hZ5ilixsB2fKYn4eT23R8bu H4yors9ROlKmt7ka96MnbRbPwtF9iSxam0TADQGhmoBdGz7w7C2EesZCNELrftuD xW7pWcnPGKf/Lk3JCstlCWs/h3UK9XkbiGXyRlB9crY7O6xitmoHE6i/m7gJhrrS W013CESh/N5TZu1KH2vjRABb6UqOOFFTSRXZewYrO3TAjFs+w2GUHsAzXoBgeZN5 7Txzx6PcHQkpqvXCPer31GzU19BAJOZHFXXRG+knd5iSoPJOWJ0Pnl+bhjV9hgDy W+rW7nfLYV9cKxNjOAqFZ/zPPd8L5P5dxLY2+wdiIyXn3Oju0qaotZlAZIH5yfd7 fCipgGx+j/2bCuxoXDxHpeauC/sXVXnaqqYViroAnT8= =ZFwH -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: wpa_supplicant security update Advisory ID: RHSA-2017:2911-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2017:2911 Issue date: 2017-10-18 CVE Names: CVE-2017-13077 CVE-2017-13078 CVE-2017-13080 CVE-2017-13087 ===================================================================== 1. Summary: An update for wpa_supplicant is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13087) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: wpa_supplicant-0.7.3-9.el6_9.2.src.rpm i386: wpa_supplicant-0.7.3-9.el6_9.2.i686.rpm wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.i686.rpm x86_64: wpa_supplicant-0.7.3-9.el6_9.2.x86_64.rpm wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: wpa_supplicant-0.7.3-9.el6_9.2.src.rpm x86_64: wpa_supplicant-0.7.3-9.el6_9.2.x86_64.rpm wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: wpa_supplicant-0.7.3-9.el6_9.2.src.rpm i386: wpa_supplicant-0.7.3-9.el6_9.2.i686.rpm wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.i686.rpm ppc64: wpa_supplicant-0.7.3-9.el6_9.2.ppc64.rpm wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.ppc64.rpm s390x: wpa_supplicant-0.7.3-9.el6_9.2.s390x.rpm wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.s390x.rpm x86_64: wpa_supplicant-0.7.3-9.el6_9.2.x86_64.rpm wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: wpa_supplicant-0.7.3-9.el6_9.2.src.rpm i386: wpa_supplicant-0.7.3-9.el6_9.2.i686.rpm wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.i686.rpm x86_64: wpa_supplicant-0.7.3-9.el6_9.2.x86_64.rpm wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-13077 https://access.redhat.com/security/cve/CVE-2017-13078 https://access.redhat.com/security/cve/CVE-2017-13080 https://access.redhat.com/security/cve/CVE-2017-13087 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/kracks 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:07.wpa Security Advisory The FreeBSD Project Topic: WPA2 protocol vulnerability Category: contrib Module: wpa Announced: 2017-10-16 Credits: Mathy Vanhoef Affects: All supported versions of FreeBSD. Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE) 2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2) 2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13) 2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE) 2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1) 2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22) CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. 0. Revision history v1.0 2017-10-17 Initial release. v1.1 2017-10-19 Add patches for 10.x releases. I. hostapd and wpa_supplicant are implementations of user space daemon for access points and wireless client that implements the WPA2 protocol. II. Problem Description A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. III. Impact Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used. IV. Workaround An updated version of wpa_supplicant is available in the FreeBSD Ports Collection. Install version 2.6_2 or later of the security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf to use the new binary: wpa_supplicant_program="/usr/local/sbin/wpa_supplicant" and restart networking. An updated version of hostapd is available in the FreeBSD Ports Collection. Install version 2.6_1 or later of the net/hostapd port/pkg. Once installed, update /etc/rc.conf to use the new binary: hostapd_program="/usr/local/sbin/hostapd" and restart hostapd. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart the Wi-Fi network interfaces/hostapd or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart the Wi-Fi network interfaces/hostapd or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE] # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc # gpg --verify wpa-11.patch.asc [FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE] # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc # gpg --verify wpa-10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/11/ r324697 releng/11.0/ r324698 releng/11.1/ r324699 stable/10/ r324739 releng/10.3/ r324740 releng/10.4/ r324741 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt> <URL:https://www.krackattacks.com/> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc> -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnoGpNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P auc7WBAAm27w+fujv5sJsRxauUMopTVtRh5utwbDuoHTP+L+RCWmQfVBmueNQ0gf uJzMNxBIkbtY9LvyukpRsH3iD7mh26c0pd9rxxkkr4F96C9B5+W0amxJF1gdm54/ F/50FpY+lo7cNs5tiBjypPrg8UOBBI/1G4XR7130XC0HjaTwt1ngZ0oQUWUMSsIp gN5ZfPul81WPWd1NqF+vyObcJhwq/Y1uoexoO27o7GQCFZoL3enZy8c4f1xqMlVM 4HHkTgNGac6E0aW+ArH4J0DFFAOJXPqF8rdt+9XINfoBbtliIyOixJ4oh1n6eAR0 VpBWZKFNyXSlUKIvDGa+LDhxgL1jJXV0ABSyKlUOijdmr3bbbiQE9MW/MNv2AFTd OAFQ0QQtm9KCWp5JLh+FPIb/kR2l7MOUP+yz4zFcJpdGtl9tDLyPN8vRTq60bY8O y7tBcf/SMqkd/AIFdchL4zrOguKnRARydIlwTarp8wtAQI3MKSsa1B0wgsDtlL6K xfdjnwWMKvKKlNOW16e1WXXO0n/ucHV4njBE+bGPro3jLgXP2/WFZpIGAR3I4xrr SdD4AxSNiR9f3bL7LRfMIbugJAylWNSlTLWUOVUv0/ONh85LqbcCj13NI230B64K ETx2QOZgKnCs2oDNiw4aQHb7kvi2w94Iw/R1sAPkkxYJWO3reyE= =h/5q -----END PGP SIGNATURE-----

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote or local

TYPE

security feature problem

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES