Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse

Vulnerability Note VU#228519

Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse

Original Release date: 16 Oct 2017 | Last revised: 16 Oct 2017

Overview

Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames.

Description

CWE-323: Reusing a Nonce, Key Pair in Encryption

Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a victim wireless access point (AP) or client. After establishing a man-in-the-middle position between an AP and client, an attacker can selectively manipulate the timing and transmission of messages in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence reception or retransmission of messages. Depending on the data confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP) and situational factors, the effect of these manipulations is to reset nonces and replay counters and ultimately to reinstall session keys. Key reuse facilitates arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.

The following CVE IDs have been assigned to document these vulnerabilities in the WPA2 protocol:

  • CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
  • CVE-2017-13078: reinstallation of the group key in the Four-way handshake
  • CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake
  • CVE-2017-13080: reinstallation of the group key in the Group Key handshake
  • CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake
  • CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it
  • CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
  • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

For a detailed description of these issues, refer to the researcher's website and paper.

Impact

An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used. Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.

Solution

Install Updates

The WPA2 protocol is ubiquitous in wireless networking. The vulnerabilities described here are in the standard itself as opposed to individual implementations thereof; as such, any correct implementation is likely affected. Users are encouraged to install updates to affected products and hosts as they are available. For information about a specific vendor or product, check the Vendor Information section of this document or contact the vendor directly. Note that the vendor list below is not exhaustive.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated

Aruba NetworksAffected28 Aug 201709 Oct 2017

CiscoAffected28 Aug 201710 Oct 2017

Espressif SystemsAffected22 Sep 201713 Oct 2017

Fortinet, Inc.Affected28 Aug 201716 Oct 2017

FreeBSD ProjectAffected28 Aug 201712 Oct 2017

HostAPAffected30 Aug 201716 Oct 2017

Intel CorporationAffected28 Aug 201710 Oct 2017

Juniper NetworksAffected28 Aug 201728 Aug 2017

Microchip TechnologyAffected28 Aug 201716 Oct 2017

Red Hat, Inc.Affected28 Aug 201704 Oct 2017

Samsung MobileAffected28 Aug 201712 Oct 2017

Toshiba Commerce SolutionsAffected15 Sep 201713 Oct 2017

Toshiba Electronic Devices & Storage CorporationAffected28 Aug 201716 Oct 2017

Toshiba Memory CorporationAffected28 Aug 201716 Oct 2017

Ubiquiti NetworksAffected28 Aug 201716 Oct 2017

If you are a vendor and your product is affected, let us know.View More »
 

CVSS Metrics (Learn More)

GroupScoreVector

Base5.4AV:A/AC:M/Au:N/C:P/I:P/A:P

Temporal4.9E:POC/RL:ND/RC:C

Environmental5.7CDP:ND/TD:H/CR:H/IR:H/AR:ND

References

Credit

Thanks to Mathy Vanhoef of the imec-DistriNet group at KU Leuven for reporting these vulnerabilities. Mathy thanks John A. Van Boxtel for finding that wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.

The CERT/CC also thanks ICASI for their efforts to facilitate vendor collaboration on addressing these vulnerabilities.

This document was written by Joel Land.

Other Information