ID CVE-2017-13088
Summary Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.
References
Vulnerable Configurations
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 17.04
    cpe:2.3:o:canonical:ubuntu_linux:17.04
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • FreeBSD
    cpe:2.3:o:freebsd:freebsd
  • cpe:2.3:o:freebsd:freebsd:10
    cpe:2.3:o:freebsd:freebsd:10
  • FreeBSD 10.4 -
    cpe:2.3:o:freebsd:freebsd:10.4
  • cpe:2.3:o:freebsd:freebsd:11
    cpe:2.3:o:freebsd:freebsd:11
  • FreeBSD 11.1
    cpe:2.3:o:freebsd:freebsd:11.1
  • openSUSE Leap 42.2
    cpe:2.3:o:opensuse:leap:42.2
  • openSUSE Leap 42.3
    cpe:2.3:o:opensuse:leap:42.3
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7
    cpe:2.3:o:redhat:enterprise_linux_desktop:7
  • cpe:2.3:o:redhat:enterprise_linux_server:7
    cpe:2.3:o:redhat:enterprise_linux_server:7
  • w1.fi Hostapd 0.2.4
    cpe:2.3:a:w1.fi:hostapd:0.2.4
  • cpe:2.3:a:w1.fi:hostapd:0.2.5
    cpe:2.3:a:w1.fi:hostapd:0.2.5
  • cpe:2.3:a:w1.fi:hostapd:0.2.6
    cpe:2.3:a:w1.fi:hostapd:0.2.6
  • cpe:2.3:a:w1.fi:hostapd:0.2.8
    cpe:2.3:a:w1.fi:hostapd:0.2.8
  • w1.fi Hostapd 0.3.7
    cpe:2.3:a:w1.fi:hostapd:0.3.7
  • cpe:2.3:a:w1.fi:hostapd:0.3.9
    cpe:2.3:a:w1.fi:hostapd:0.3.9
  • cpe:2.3:a:w1.fi:hostapd:0.3.10
    cpe:2.3:a:w1.fi:hostapd:0.3.10
  • cpe:2.3:a:w1.fi:hostapd:0.3.11
    cpe:2.3:a:w1.fi:hostapd:0.3.11
  • w1.fi Hostapd 0.4.7
    cpe:2.3:a:w1.fi:hostapd:0.4.7
  • cpe:2.3:a:w1.fi:hostapd:0.4.8
    cpe:2.3:a:w1.fi:hostapd:0.4.8
  • cpe:2.3:a:w1.fi:hostapd:0.4.9
    cpe:2.3:a:w1.fi:hostapd:0.4.9
  • cpe:2.3:a:w1.fi:hostapd:0.4.10
    cpe:2.3:a:w1.fi:hostapd:0.4.10
  • cpe:2.3:a:w1.fi:hostapd:0.4.11
    cpe:2.3:a:w1.fi:hostapd:0.4.11
  • cpe:2.3:a:w1.fi:hostapd:0.5.7
    cpe:2.3:a:w1.fi:hostapd:0.5.7
  • cpe:2.3:a:w1.fi:hostapd:0.5.8
    cpe:2.3:a:w1.fi:hostapd:0.5.8
  • cpe:2.3:a:w1.fi:hostapd:0.5.9
    cpe:2.3:a:w1.fi:hostapd:0.5.9
  • cpe:2.3:a:w1.fi:hostapd:0.5.10
    cpe:2.3:a:w1.fi:hostapd:0.5.10
  • cpe:2.3:a:w1.fi:hostapd:0.5.11
    cpe:2.3:a:w1.fi:hostapd:0.5.11
  • cpe:2.3:a:w1.fi:hostapd:0.6.8
    cpe:2.3:a:w1.fi:hostapd:0.6.8
  • cpe:2.3:a:w1.fi:hostapd:0.6.9
    cpe:2.3:a:w1.fi:hostapd:0.6.9
  • cpe:2.3:a:w1.fi:hostapd:0.6.10
    cpe:2.3:a:w1.fi:hostapd:0.6.10
  • w1.fi Hostapd 0.7.3
    cpe:2.3:a:w1.fi:hostapd:0.7.3
  • cpe:2.3:a:w1.fi:hostapd:1.0
    cpe:2.3:a:w1.fi:hostapd:1.0
  • w1.fi Hostapd 1.1
    cpe:2.3:a:w1.fi:hostapd:1.1
  • w1.fi Hostapd 2.0
    cpe:2.3:a:w1.fi:hostapd:2.0
  • w1.fi Hostapd 2.1
    cpe:2.3:a:w1.fi:hostapd:2.1
  • w1.fi Hostapd 2.2
    cpe:2.3:a:w1.fi:hostapd:2.2
  • w1.fi hostapd 2.3
    cpe:2.3:a:w1.fi:hostapd:2.3
  • w1.fi hostapd 2.4
    cpe:2.3:a:w1.fi:hostapd:2.4
  • w1.fi Hostapd 2.5
    cpe:2.3:a:w1.fi:hostapd:2.5
  • w1.fi hostapd 2.6
    cpe:2.3:a:w1.fi:hostapd:2.6
  • w1.fi WPA Supplicant 0.2.4
    cpe:2.3:a:w1.fi:wpa_supplicant:0.2.4
  • w1.fi WPA Supplicant 0.2.5
    cpe:2.3:a:w1.fi:wpa_supplicant:0.2.5
  • w1.fi WPA Supplicant 0.2.6
    cpe:2.3:a:w1.fi:wpa_supplicant:0.2.6
  • w1.fi WPA Supplicant 0.2.7
    cpe:2.3:a:w1.fi:wpa_supplicant:0.2.7
  • w1.fi WPA Supplicant 0.2.8
    cpe:2.3:a:w1.fi:wpa_supplicant:0.2.8
  • w1.fi WPA Supplicant 0.3.7
    cpe:2.3:a:w1.fi:wpa_supplicant:0.3.7
  • w1.fi WPA Supplicant 0.3.8
    cpe:2.3:a:w1.fi:wpa_supplicant:0.3.8
  • w1.fi WPA Supplicant 0.3.9
    cpe:2.3:a:w1.fi:wpa_supplicant:0.3.9
  • w1.fi WPA Supplicant 0.3.10
    cpe:2.3:a:w1.fi:wpa_supplicant:0.3.10
  • w1.fi WPA Supplicant 0.3.11
    cpe:2.3:a:w1.fi:wpa_supplicant:0.3.11
  • w1.fi WPA Supplicant 0.4.7
    cpe:2.3:a:w1.fi:wpa_supplicant:0.4.7
  • w1.fi WPA Supplicant 0.4.8
    cpe:2.3:a:w1.fi:wpa_supplicant:0.4.8
  • w1.fi WPA Supplicant 0.4.9
    cpe:2.3:a:w1.fi:wpa_supplicant:0.4.9
  • w1.fi WPA Supplicant 0.4.10
    cpe:2.3:a:w1.fi:wpa_supplicant:0.4.10
  • w1.fi WPA Supplicant 0.4.11
    cpe:2.3:a:w1.fi:wpa_supplicant:0.4.11
  • w1.fi WPA Supplicant 0.5.7
    cpe:2.3:a:w1.fi:wpa_supplicant:0.5.7
  • w1.fi WPA Supplicant 0.5.8
    cpe:2.3:a:w1.fi:wpa_supplicant:0.5.8
  • w1.fi WPA Supplicant 0.5.9
    cpe:2.3:a:w1.fi:wpa_supplicant:0.5.9
  • w1.fi WPA Supplicant 0.5.10
    cpe:2.3:a:w1.fi:wpa_supplicant:0.5.10
  • w1.fi WPA Supplicant 0.5.11
    cpe:2.3:a:w1.fi:wpa_supplicant:0.5.11
  • w1.fi WPA Supplicant 0.6.8
    cpe:2.3:a:w1.fi:wpa_supplicant:0.6.8
  • w1.fi WPA Supplicant 0.6.9
    cpe:2.3:a:w1.fi:wpa_supplicant:0.6.9
  • w1.fi WPA Supplicant 0.6.10
    cpe:2.3:a:w1.fi:wpa_supplicant:0.6.10
  • w1.fi WPA Supplicant 0.7.3
    cpe:2.3:a:w1.fi:wpa_supplicant:0.7.3
  • w1.fi WPA Supplicant 1.0
    cpe:2.3:a:w1.fi:wpa_supplicant:1.0
  • w1.fi WPA Supplicant 1.1
    cpe:2.3:a:w1.fi:wpa_supplicant:1.1
  • w1.fi WPA Supplicant 2.0
    cpe:2.3:a:w1.fi:wpa_supplicant:2.0
  • w1.fi WPA Supplicant 2.1
    cpe:2.3:a:w1.fi:wpa_supplicant:2.1
  • w1.fi WPA Supplicant 2.2
    cpe:2.3:a:w1.fi:wpa_supplicant:2.2
  • w1.fi WPA Supplicant 2.3
    cpe:2.3:a:w1.fi:wpa_supplicant:2.3
  • w1.fi WPA Supplicant 2.4
    cpe:2.3:a:w1.fi:wpa_supplicant:2.4
  • w1.fi WPA Supplicant 2.5
    cpe:2.3:a:w1.fi:wpa_supplicant:2.5
  • w1.fi WPA Supplicant 2.6
    cpe:2.3:a:w1.fi:wpa_supplicant:2.6
  • cpe:2.3:o:suse:linux_enterprise_desktop:12:sp2
    cpe:2.3:o:suse:linux_enterprise_desktop:12:sp2
  • cpe:2.3:o:suse:linux_enterprise_desktop:12:sp3
    cpe:2.3:o:suse:linux_enterprise_desktop:12:sp3
  • cpe:2.3:o:suse:linux_enterprise_point_of_sale:11:sp3
    cpe:2.3:o:suse:linux_enterprise_point_of_sale:11:sp3
  • cpe:2.3:o:suse:linux_enterprise_server:11:sp3:-:-:-:ltss
    cpe:2.3:o:suse:linux_enterprise_server:11:sp3:-:-:-:ltss
  • SUSE Linux Enterprise Server 11 Service Pack 4
    cpe:2.3:o:suse:linux_enterprise_server:11:sp4
  • cpe:2.3:o:suse:linux_enterprise_server:12:-:-:-:ltss
    cpe:2.3:o:suse:linux_enterprise_server:12:-:-:-:ltss
  • cpe:2.3:o:suse:openstack_cloud:6
    cpe:2.3:o:suse:openstack_cloud:6
CVSS
Base: 2.9
Impact:
Exploitability:
CWE CWE-254
CAPEC
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171018_WPA_SUPPLICANT_ON_SL7_X.NASL
    description Security Fix(es) : - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 103960
    published 2017-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103960
    title Scientific Linux Security Update : wpa_supplicant on SL7.x x86_64 (KRACK)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3455-1.NASL
    description Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly handled WPA2. A remote attacker could use this issue with key reinstallation attacks to obtain sensitive information. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled invalid characters in passphrase parameters. A remote attacker could use this issue to cause a denial of service. (CVE-2016-4476) Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled invalid characters in passphrase parameters. A local attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2016-4477). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 103863
    published 2017-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103863
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : wpa vulnerabilities (USN-3455-1) (KRACK)
  • NASL family Firewalls
    NASL id PFSENSE_2_3_5.NASL
    description According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 109037
    published 2018-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109037
    title pfSense < 2.3.5 Multiple Vulnerabilities (KRACK)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-2907.NASL
    description An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-06
    plugin id 104581
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104581
    title Virtuozzo 7 : wpa_supplicant (VZLSA-2017-2907)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1201.NASL
    description This update for hostapd fixes the following issues : - Fix KRACK attacks on the AP side (boo#1063479, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088) : Hostap was updated to upstream release 2.6 - fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5314) - fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476) - extended channel switch support for VHT bandwidth changes - added support for configuring new ANQP-elements with anqp_elem=: - fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) - added no_probe_resp_if_max_sta=1 parameter to disable Probe Response frame sending for not-associated STAs if max_num_sta limit has been reached - added option (-S as command line argument) to request all interfaces to be started at the same time - modified rts_threshold and fragm_threshold configuration parameters to allow -1 to be used to disable RTS/fragmentation - EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) - fixed EAPOL reauthentication after FT protocol run - fixed FTIE generation for 4-way handshake after FT protocol run - fixed and improved various FST operations - TLS server - support SHA384 and SHA512 hashes - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) - added support for OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 - EAP-PEAP: support fast-connect crypto binding - RADIUS - fix Called-Station-Id to not escape SSID - add Event-Timestamp to all Accounting-Request packets - add Acct-Session-Id to Accounting-On/Off - add Acct-Multi-Session-Id ton Access-Request packets - add Service-Type (= Frames) - allow server to provide PSK instead of passphrase for WPA-PSK Tunnel_password case - update full message for interim accounting updates - add Acct-Delay-Time into Accounting messages - add require_message_authenticator configuration option to require CoA/Disconnect-Request packets to be authenticated - started to postpone WNM-Notification frame sending by 100 ms so that the STA has some more time to configure the key before this frame is received after the 4-way handshake - VHT: added interoperability workaround for 80+80 and 160 MHz channels - extended VLAN support (per-STA vif, etc.) - fixed PMKID derivation with SAE - nl80211 - added support for full station state operations - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames - added initial MBO support; number of extensions to WNM BSS Transition Management - added initial functionality for location related operations - added assocresp_elements parameter to allow vendor specific elements to be added into (Re)Association Response frames - improved Public Action frame addressing - use Address 3 = wildcard BSSID in GAS response if a query from an unassociated STA used that address - fix TX status processing for Address 3 = wildcard BSSID - add gas_address3 configuration parameter to control Address 3 behavior - added command line parameter -i to override interface parameter in hostapd.conf - added command completion support to hostapd_cli - added passive client taxonomy determination (CONFIG_TAXONOMY=y compile option and 'SIGNATURE ' control interface command) - number of small fixes hostapd was updated to upstream release 2.5 - (CVE-2015-1863) is fixed in upstream release 2.5 - fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141 boo#930077) - fixed WMM Action frame parser [http://w1.fi/security/2015-3/] (CVE-2015-4142 boo#930078) - fixed EAP-pwd server missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, boo#930079) - fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] - nl80211 : - fixed vendor command handling to check OUI properly - fixed hlr_auc_gw build with OpenSSL - hlr_auc_gw: allow Milenage RES length to be reduced - disable HT for a station that does not support WMM/QoS - added support for hashed password (NtHash) in EAP-pwd server - fixed and extended dynamic VLAN cases - added EAP-EKE server support for deriving Session-Id - set Acct-Session-Id to a random value to make it more likely to be unique even if the device does not have a proper clock - added more 2.4 GHz channels for 20/40 MHz HT co-ex scan - modified SAE routines to be more robust and PWE generation to be stronger against timing attacks - added support for Brainpool Elliptic Curves with SAE - increases maximum value accepted for cwmin/cwmax - added support for CCMP-256 and GCMP-256 as group ciphers with FT - added Fast Session Transfer (FST) module - removed optional fields from RSNE when using FT with PMF (workaround for interoperability issues with iOS 8.4) - added EAP server support for TLS session resumption - fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) - added mechanism to track unconnected stations and do minimal band steering - number of small fixes
    last seen 2019-02-21
    modified 2017-12-21
    plugin id 104237
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104237
    title openSUSE Security Update : hostapd (openSUSE-2017-1201) (KRACK)
  • NASL family Misc.
    NASL id UBNT_UNIFI_KRACK.NASL
    description According to its self-reported version, the remote networking device is running a version of UniFi OS prior to 3.9.3.7537. It, therefore, vulnerable to multiple vulnerabilities discovered in the WPA2 handshake protocol.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 103875
    published 2017-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103875
    title Ubiquiti Networks UniFi < 3.9.3.7537 (KRACK)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3999.NASL
    description Mathy Vanhoef of the imec-DistriNet research group of KU Leuven discovered multiple vulnerabilities in the WPA protocol, used for authentication in wireless networks. Those vulnerabilities apply to both the access point (implemented in hostapd) and the station (implemented in wpa_supplicant). An attacker exploiting the vulnerabilities could force the vulnerable system to reuse cryptographic session keys, enabling a range of cryptographic attacks against the ciphers used in WPA1 and WPA2. More information can be found in the researchers's paper, Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. - CVE-2017-13077 : reinstallation of the pairwise key in the Four-way handshake - CVE-2017-13078 : reinstallation of the group key in the Four-way handshake - CVE-2017-13079 : reinstallation of the integrity group key in the Four-way handshake - CVE-2017-13080 : reinstallation of the group key in the Group Key handshake - CVE-2017-13081 : reinstallation of the integrity group key in the Group Key handshake - CVE-2017-13082 : accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it - CVE-2017-13086 : reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake - CVE-2017-13087 : reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame - CVE-2017-13088 : reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 103859
    published 2017-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103859
    title Debian DSA-3999-1 : wpa - security update (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2745-1.NASL
    description This update for wpa_supplicant fixes the security issues : - Several vulnerabilities in standard conforming implementations of the WPA2 protocol have been discovered and published under the code name KRACK. This update remedies those issues in a backwards compatible manner, i.e. the updated wpa_supplicant can interface properly with both vulnerable and patched implementations of WPA2, but an attacker won't be able to exploit the KRACK weaknesses in those connections anymore even if the other party is still vulnerable. [bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103917
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103917
    title SUSE SLED12 / SLES12 Security Update : wpa_supplicant (SUSE-SU-2017:2745-1) (KRACK)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2907.NASL
    description An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 103881
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103881
    title CentOS 7 : wpa_supplicant (CESA-2017:2907) (KRACK)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-60BFB576B7.NASL
    description Fix the for the Key Reinstallation Attacks ========================================== - hostapd: Avoid key reinstallation in FT handshake (CVE-2017-13082) - Fix PTK rekeying to generate a new ANonce - Prevent reinstallation of an already in-use group key and extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases (CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088) - Prevent installation of an all-zero TK - TDLS: Reject TPK-TK reconfiguration - WNM: Ignore WNM-Sleep Mode Response without pending request - FT: Do not allow multiple Reassociation Response frames Upstream advisory: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-me ssages.txt Details and the paper: https://www.krackattacks.com/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 103896
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103896
    title Fedora 26 : 1:wpa_supplicant (2017-60bfb576b7) (KRACK)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1150.NASL
    description A vulnerability was found in how WPA code can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used. Those issues are commonly known under the 'KRACK' appelation. According to US-CERT, 'the impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others.' CVE-2017-13077 Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake. CVE-2017-13078 Reinstallation of the group key (GTK) in the 4-way handshake. CVE-2017-13079 Reinstallation of the integrity group key (IGTK) in the 4-way handshake. CVE-2017-13080 Reinstallation of the group key (GTK) in the group key handshake. CVE-2017-13081 Reinstallation of the integrity group key (IGTK) in the group key handshake. CVE-2017-13082 Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it. CVE-2017-13084 Reinstallation of the STK key in the PeerKey handshake. CVE-2017-13086 reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake. CVE-2017-13087 reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. CVE-2017-13088 reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. For Debian 7 'Wheezy', these problems have been fixed in version 1.0-3+deb7u5. Note that the latter two vulnerabilities (CVE-2017-13087 and CVE-2017-13088) were mistakenly marked as fixed in the changelog whereas they simply did not apply to the 1.0 version of the WPA source code, which doesn't implement WNM sleep mode responses. We recommend that you upgrade your wpa packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 104299
    published 2017-11-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104299
    title Debian DLA-1150-1 : wpa security update (KRACK)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201711-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201711-03 (hostapd and wpa_supplicant: Key Reinstallation (KRACK) attacks) WiFi Protected Access (WPA and WPA2) and it’s associated technologies are all vulnerable to the KRACK attacks. Please review the referenced CVE identifiers for details. Impact : An attacker can carry out the KRACK attacks on a wireless network in order to gain access to network clients. Once achieved, the attacker can potentially harvest confidential information (e.g. HTTP/HTTPS), inject malware, or perform a myriad of other attacks. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-29
    plugin id 104511
    published 2017-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104511
    title GLSA-201711-03 : hostapd and wpa_supplicant: Key Reinstallation (KRACK) attacks (KRACK)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2907.NASL
    description From Red Hat Security Advisory 2017:2907 : An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 103914
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103914
    title Oracle Linux 7 : wpa_supplicant (ELSA-2017-2907) (KRACK)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_D670A953B2A111E7A633009C02A2AB30.NASL
    description wpa_supplicant developers report : A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 103862
    published 2017-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103862
    title FreeBSD : WPA packet number reuse with replayed messages and key reinstallation (d670a953-b2a1-11e7-a633-009c02a2ab30) (KRACK)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1241.NASL
    description According to the versions of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13079) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13081) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 104576
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104576
    title EulerOS 2.0 SP1 : wpa_supplicant (EulerOS-SA-2017-1241)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1242.NASL
    description According to the versions of the wpa_supplicant package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13079) - Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.(CVE-2017-13081) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 104577
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104577
    title EulerOS 2.0 SP2 : wpa_supplicant (EulerOS-SA-2017-1242)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2907.NASL
    description An update for wpa_supplicant is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es) : * A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 103916
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103916
    title RHEL 7 : wpa_supplicant (RHSA-2017:2907) (KRACK)
  • NASL family CISCO
    NASL id CISCO-SA-20171016-WPA-ASA_WITH_FIREPOWER_SERVICES.NASL
    description According to its self-reported version, the Cisco ASA with FirePOWER Services is affected by multiple vulnerabilities related to the KRACK attack. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 103856
    published 2017-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103856
    title Cisco ASA FirePOWER Services Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II (KRACK)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2017-291-02.NASL
    description New wpa_supplicant packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-01-29
    plugin id 103944
    published 2017-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103944
    title Slackware 14.0 / 14.1 / 14.2 / current : wpa_supplicant (SSA:2017-291-02) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2752-1.NASL
    description This update for wpa_supplicant fixes the following issues : - Several vulnerabilities in standard conforming implementations of the WPA2 protocol have been discovered and published under the code name KRACK. This update remedies those issues in a backwards compatible manner, i.e. the updated wpa_supplicant can interface properly with both vulnerable and patched implementations of WPA2, but an attacker won't be able to exploit the KRACK weaknesses in those connections anymore even if the other party is still vulnerable. [bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 103920
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103920
    title SUSE SLES11 Security Update : wpa_supplicant (SUSE-SU-2017:2752-1) (KRACK)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-F45E844A85.NASL
    description Fix the for the Key Reinstallation Attacks ========================================== - hostapd: Avoid key reinstallation in FT handshake (CVE-2017-13082) - Fix PTK rekeying to generate a new ANonce - Prevent reinstallation of an already in-use group key and extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases (CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088) - Prevent installation of an all-zero TK - TDLS: Reject TPK-TK reconfiguration - WNM: Ignore WNM-Sleep Mode Response without pending request - FT: Do not allow multiple Reassociation Response frames Upstream advisory: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-me ssages.txt Details and the paper: https://www.krackattacks.com/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 106004
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106004
    title Fedora 27 : 1:wpa_supplicant (2017-f45e844a85) (KRACK)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-12E76E8364.NASL
    description Fix the for the Key Reinstallation Attacks ========================================== - hostapd: Avoid key reinstallation in FT handshake (CVE-2017-13082) - Fix PTK rekeying to generate a new ANonce - Prevent reinstallation of an already in-use group key and extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases (CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088) - Prevent installation of an all-zero TK - TDLS: Reject TPK-TK reconfiguration - WNM: Ignore WNM-Sleep Mode Response without pending request - FT: Do not allow multiple Reassociation Response frames Upstream advisory: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-me ssages.txt Details and the paper: https://www.krackattacks.com/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 103884
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103884
    title Fedora 25 : 1:wpa_supplicant (2017-12e76e8364) (KRACK)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1163.NASL
    description This update for wpa_supplicant fixes the security issues : - Several vulnerabilities in standard conforming implementations of the WPA2 protocol have been discovered and published under the code name KRACK. This update remedies those issues in a backwards compatible manner, i.e. the updated wpa_supplicant can interface properly with both vulnerable and patched implementations of WPA2, but an attacker won't be able to exploit the KRACK weaknesses in those connections anymore even if the other party is still vulnerable. [bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088] This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-01-29
    plugin id 104076
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104076
    title openSUSE Security Update : wpa_supplicant (openSUSE-2017-1163) (KRACK)
redhat via4
advisories
bugzilla
id 1500304
title CVE-2017-13088 wpa_supplicant: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
oval
AND
  • comment wpa_supplicant is earlier than 1:2.6-5.el7_4.1
    oval oval:com.redhat.rhsa:tst:20172907005
  • comment wpa_supplicant is signed with Red Hat redhatrelease2 key
    oval oval:com.redhat.rhsa:tst:20141956006
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhsa:tst:20140675001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhsa:tst:20140675002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20140675003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20140675004
rhsa
id RHSA-2017:2907
released 2017-10-17
severity Important
title RHSA-2017:2907: wpa_supplicant security update (Important)
rpms wpa_supplicant-1:2.6-5.el7_4.1
refmap via4
bid 101274
cert-vn VU#228519
cisco 20171016 Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II
confirm
debian DSA-3999
freebsd FreeBSD-SA-17:07
gentoo GLSA-201711-03
misc
sectrack
  • 1039573
  • 1039576
  • 1039577
  • 1039578
  • 1039581
suse
  • SUSE-SU-2017:2745
  • SUSE-SU-2017:2752
  • openSUSE-SU-2017:2755
ubuntu USN-3455-1
the hacker news via4
id THN:29EC2E0BD61CF15B2E756ECA04EDFF50
last seen 2018-01-27
modified 2017-10-19
published 2017-10-15
reporter Swati Khandelwal
source https://thehackernews.com/2017/10/wpa2-krack-wifi-hacking.html
title KRACK Demo: Critical Key Reinstallation Attack Against Widely-Used WPA2 Wi-Fi Protocol
Last major update 17-10-2017 - 09:29
Published 17-10-2017 - 09:29
Last modified 18-07-2018 - 21:29
Back to Top