Vulnerability Note VU#228519
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Wi-Fi Protected Access (WPA, more commonly WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks.
CWE-323: Reusing a Nonce, Key Pair in Encryption
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a victim wireless access point (AP) or client. After establishing a man-in-the-middle position between an AP and client, an attacker can selectively manipulate the timing and transmission of messages in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence reception or retransmission of messages. Depending on the data confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP) and situational factors, the effect of these manipulations is to reset nonces and replay counters and ultimately to reinstall session keys. Key reuse facilitates arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.
For a detailed description of these issues, refer to the researcher's website and paper.
An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used. Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|9front||Affected||-||19 Oct 2017|
|Actiontec||Affected||30 Aug 2017||20 Oct 2017|
|ADTRAN||Affected||-||19 Oct 2017|
|Aerohive||Affected||30 Aug 2017||17 Oct 2017|
|Alcatel-Lucent Enterprise||Affected||28 Aug 2017||08 Nov 2017|
|Android Open Source Project||Affected||28 Aug 2017||08 Nov 2017|
|Apple||Affected||28 Aug 2017||01 Nov 2017|
|Arch Linux||Affected||28 Aug 2017||17 Oct 2017|
|Aruba Networks||Affected||28 Aug 2017||09 Oct 2017|
|AsusTek Computer Inc.||Affected||28 Aug 2017||19 Oct 2017|
|AVM GmbH||Affected||-||24 Oct 2017|
|Barracuda Networks||Affected||28 Aug 2017||24 Oct 2017|
|Broadcom||Affected||30 Aug 2017||17 Oct 2017|
|Cambium Networks||Affected||-||26 Oct 2017|
|CentOS||Affected||28 Aug 2017||23 Oct 2017|
CVSS Metrics (Learn More)
Thanks to Mathy Vanhoef of the imec-DistriNet group at KU Leuven for reporting these vulnerabilities. Mathy thanks John A. Van Boxtel for finding that wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.
The CERT/CC also thanks ICASI for their efforts to facilitate vendor collaboration on addressing these vulnerabilities.
This document was written by Joel Land.
- CVE IDs: CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13084 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088
- Date Public: 16 Oct 2017
- Date First Published: 16 Oct 2017
- Date Last Updated: 16 Nov 2017
- Document Revision: 142
If you have feedback, comments, or additional information about this vulnerability, please send us email.