Vulnerability Note VU#228519
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Original Release date: 16 Oct 2017 | Last revised: 16 Nov 2017

Overview
Wi-Fi Protected Access (WPA, more commonly WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client.

An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used.

Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames.

These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACKquot; attacks.

Description
CWE-323: Reusing a Nonce, Key Pair in Encryption
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a victim wireless access point (AP) or client.

After establishing a man-in-the-middle position between an AP and client, an attacker can selectively manipulate the timing and transmission of messages in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence reception or retransmission of messages.

Depending on the data confidentiality protocols in use (e.g.

TKIP, CCMP, and GCMP) and situational factors, the effect of these manipulations is to reset nonces and replay counters and ultimately to reinstall session keys. Key reuse facilitates arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.

The following CVE IDs have been assigned to document these vulnerabilities in the WPA2 protocol:

CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078: reinstallation of the group key in the Four-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake
CVE-2017-13080: reinstallation of the group key in the Group Key handshake
CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake
CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it
CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

For a detailed description of these issues, refer to the researcher’s website and paper.

Impact
An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used.
Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.

Solution
Install Updates

The WPA2 protocol is ubiquitous in wireless networking.

The vulnerabilities described here are in the standard itself as opposed to individual implementations thereof; as such, any correct implementation is likely affected. Users are encouraged to install updates to affected products and hosts as they are available.

For information about a specific vendor or product, check the Vendor Information section of this document or contact the vendor directly. Note that the vendor list below is not exhaustive.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated9frontAffected-19 Oct 2017
ActiontecAffected30 Aug 201720 Oct 2017
ADTRANAffected-19 Oct 2017
AerohiveAffected30 Aug 201717 Oct 2017
Alcatel-Lucent EnterpriseAffected28 Aug 201708 Nov 2017
Android Open Source ProjectAffected28 Aug 201708 Nov 2017
AppleAffected28 Aug 201701 Nov 2017
Arch LinuxAffected28 Aug 201717 Oct 2017
Aruba NetworksAffected28 Aug 201709 Oct 2017
AsusTek Computer Inc.Affected28 Aug 201719 Oct 2017
AVM GmbHAffected-24 Oct 2017
Barracuda NetworksAffected28 Aug 201724 Oct 2017
BroadcomAffected30 Aug 201717 Oct 2017
Cambium NetworksAffected-26 Oct 2017
CentOSAffected28 Aug 201723 Oct 2017If you are a vendor and your product is affected, let
us know.View More &raquo

CVSS Metrics (Learn More)

Group
Score
Vector

Base
5.4
AV:A/AC:M/Au:N/C:P/I:P/A:P

Temporal
4.9
E:POC/RL:ND/RC:C

Environmental
5.7
CDP:ND/TD:H/CR:H/IR:H/AR:ND

References

https://cwe.mitre.org/data/definitions/323.html
https://www.krackattacks.com/
https://papers.mathyvanhoef.com/ccs2017.pdf

Credit

Thanks to Mathy Vanhoef of the imec-DistriNet group at KU Leuven for reporting these vulnerabilities. Mathy thanks John A.
Van Boxtel for finding that wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.

The CERT/CC also thanks ICASI for their efforts to facilitate vendor collaboration on addressing these vulnerabilities.
This document was written by Joel Land.

Other Information

CVE IDs:
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13084
CVE-2017-13086
CVE-2017-13087
CVE-2017-13088

Date Public:
16 Oct 2017

Date First Published:
16 Oct 2017

Date Last Updated:
16 Nov 2017

Document Revision:
142

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply