Vulnerability Note VU#228519

Wi-Fi Protected Access II (WPA2) handshake traffic

can be manipulated to induce nonce and session key
reuse
Overview
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and
session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An
attacker within range of an affected AP and client may leverage these vulnerabilities to conduct
attacks that are dependent on the data confidentiality protocols being used. Attacks may include
arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or
the replay of unicast and group-addressed frames.
Description
CWE-323: Reusing a Nonce, Key Pair in Encryption
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key
reuse, resulting in key reinstallation by a victim wireless access point (AP) or client. After establishing a
man-in-the-middle position between an AP and client, an attacker can selectively manipulate the timing
and transmission of messages in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS)
Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network
Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence reception or retransmission
of messages. Depending on the data confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP) and
situational factors, the effect of these manipulations is to reset nonces and replay counters and ultimately
to reinstall session keys. Key reuse facilitates arbitrary packet decryption and injection, TCP connection
hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.

The following CVE IDs have been assigned to document these vulnerabilities in the WPA2 protocol:
CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078: reinstallation of the group key in the Four-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake
CVE-2017-13080: reinstallation of the group key in the Group Key handshake
CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake
CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and
reinstalling the pairwise key while processing it
CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key
in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network
Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless
Network Management (WNM) Sleep Mode Response frame

For a detailed description of these issues, refer to the researcher's website and paper.
Impact
An attacker within the wireless communications range of an affected AP and client may leverage these
vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used.
Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content
injection, or the replay of unicast, broadcast, and multicast frames.
Solution
Install Updates

The WPA2 protocol is ubiquitous in wireless networking. The vulnerabilities described here are in the
standard itself as opposed to individual implementations thereof; as such, any correct implementation is
likely affected. Users are encouraged to install updates to affected products and hosts as they are
available. For information about a specific vendor or product, check the Vendor Information section of
this document or contact the vendor directly. Note that the vendor list below is not exhaustive.
Vendor Information (Learn More)
Vendor Status Date Notified Date Updated
Aruba Networks Affected 28 Aug 2017 09 Oct 2017
Cisco Affected 28 Aug 2017 10 Oct 2017
Espressif Systems Affected 22 Sep 2017 13 Oct 2017
FreeBSD Project Affected 28 Aug 2017 12 Oct 2017
HostAP Affected 30 Aug 2017 16 Oct 2017
Intel Corporation Affected 28 Aug 2017 10 Oct 2017
Juniper Networks Affected 28 Aug 2017 28 Aug 2017
Microchip Technology Affected 28 Aug 2017 16 Oct 2017
Red Hat, Inc. Affected 28 Aug 2017 04 Oct 2017
Samsung Mobile Affected 28 Aug 2017 12 Oct 2017
Toshiba Commerce Solutions Affected 15 Sep 2017 13 Oct 2017
Toshiba Electronic Devices & Storage
Corporation Affected 28 Aug 2017 16 Oct 2017
Toshiba Memory Corporation Affected 28 Aug 2017 16 Oct 2017
Ubiquiti Networks Affected 28 Aug 2017 16 Oct 2017
ZyXEL Affected 28 Aug 2017 13 Oct 2017
If you are a vendor and your product is affected, let us know.View More

CVSS Metrics (Learn More)

Group Score Vector
Base 5,4 AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal 4,9 E:POC/RL:ND/RC:C
Environmental 5,7 CDP:ND/TD:H/CR:H/IR:H/AR:ND
References
https://cwe.mitre.org/data/definitions/323.html
https://www.krackattacks.com/
https://papers.mathyvanhoef.com/ccs2017.pdf
Credit
Thanks to Mathy Vanhoef of the imec-DistriNet group at KU Leuven for reporting these
vulnerabilities. Mathy thanks John A. Van Boxtel for finding that wpa_supplicant v2.6 is also
vulnerable to CVE-2017-13077.
This document was written by Joel Land.
Other Information
CVE IDs:CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-
2017-13081 CVE-2017-13082 CVE-2017-13084 CVE-2017-13086 CVE-2017-
13087 CVE-2017-13088
Date Public: 16 oct 2017
Date First Published: 16 oct 2017
Date Last Updated: 16 oct 2017
Document Revision: 63
Feedback