Beruflich Dokumente
Kultur Dokumente
The following CVE IDs have been assigned to document these vulnerabilities in the WPA2 protocol:
CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078: reinstallation of the group key in the Four-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake
CVE-2017-13080: reinstallation of the group key in the Group Key handshake
CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake
CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and
reinstalling the pairwise key while processing it
CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key
in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network
Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless
Network Management (WNM) Sleep Mode Response frame
For a detailed description of these issues, refer to the researcher's website and paper.
Impact
An attacker within the wireless communications range of an affected AP and client may leverage these
vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used.
Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content
injection, or the replay of unicast, broadcast, and multicast frames.
Solution
Install Updates
The WPA2 protocol is ubiquitous in wireless networking. The vulnerabilities described here are in the
standard itself as opposed to individual implementations thereof; as such, any correct implementation is
likely affected. Users are encouraged to install updates to affected products and hosts as they are
available. For information about a specific vendor or product, check the Vendor Information section of
this document or contact the vendor directly. Note that the vendor list below is not exhaustive.
Vendor Information (Learn More)
Vendor Status Date Notified Date Updated
Aruba Networks Affected 28 Aug 2017 09 Oct 2017
Cisco Affected 28 Aug 2017 10 Oct 2017
Espressif Systems Affected 22 Sep 2017 13 Oct 2017
FreeBSD Project Affected 28 Aug 2017 12 Oct 2017
HostAP Affected 30 Aug 2017 16 Oct 2017
Intel Corporation Affected 28 Aug 2017 10 Oct 2017
Juniper Networks Affected 28 Aug 2017 28 Aug 2017
Microchip Technology Affected 28 Aug 2017 16 Oct 2017
Red Hat, Inc. Affected 28 Aug 2017 04 Oct 2017
Samsung Mobile Affected 28 Aug 2017 12 Oct 2017
Toshiba Commerce Solutions Affected 15 Sep 2017 13 Oct 2017
Toshiba Electronic Devices & Storage
Corporation Affected 28 Aug 2017 16 Oct 2017
Toshiba Memory Corporation Affected 28 Aug 2017 16 Oct 2017
Ubiquiti Networks Affected 28 Aug 2017 16 Oct 2017
ZyXEL Affected 28 Aug 2017 13 Oct 2017
If you are a vendor and your product is affected, let us know.View More