VARIoT IoT vulnerabilities database
| VAR-201710-0213 | CVE-2017-13084 |
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Related entries in the VARIoT exploits database: VAR-E-201710-0481 |
CVSS V2: 5.4 CVSS V3: 6.8 Severity: MEDIUM |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks. WPA (Wi-Fi Protected Access) is a system that protects wireless computer networks (Wi-Fi). The WPA2 wireless network has a group key reload vulnerability in the PeerKey handshake. WPA2 is prone to multiple security weaknesses.
Exploiting these issues may allow an unauthorized user to intercept and manipulate data or disclose sensitive information.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] wpa_supplicant (SSA:2017-291-02)
New wpa_supplicant packages are available for Slackware 14.0, 14.1, 14.2,
and -current to fix security issues.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz: Upgraded.
This update includes patches to mitigate the WPA2 protocol issues known
as "KRACK" (Key Reinstallation AttaCK), which may be used to decrypt data,
hijack TCP connections, and to forge and inject packets. This is the
list of vulnerabilities that are addressed here:
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the
4-way handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT)
Reassociation Request and reinstalling the pairwise encryption key (PTK-TK)
while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS)
PeerKey (TPK) key in the TDLS handshake.
For more information, see:
https://www.krackattacks.com/
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/wpa_supplicant-2.6-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/wpa_supplicant-2.6-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/wpa_supplicant-2.6-i586-2.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/wpa_supplicant-2.6-x86_64-2.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
d8ecfaadb50b3547967ab53733ffc019 wpa_supplicant-2.6-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
f25216d28800504ce498705da7c9a825 wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Slackware 14.1 package:
15c61050e4bab2581757befd86be74c0 wpa_supplicant-2.6-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
49fd537a520338744f7757615556d352 wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Slackware 14.2 package:
c5539f40c8510af89be92945f0f80185 wpa_supplicant-2.6-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
4c527ff84fcdfd7839f217bbce2e4ae4 wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Slackware -current package:
28bd88a54e96368f7a7020c1f5fb67fe n/wpa_supplicant-2.6-i586-2.txz
Slackware x86_64 -current package:
464fc6b48d1ac077f47e9a3a8534c160 n/wpa_supplicant-2.6-x86_64-2.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg wpa_supplicant-2.6-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAlnnrOgACgkQakRjwEAQIjPgvQCfRcXlhuFjrDNPbEUeZrYLxnkW
b+4An0l5cZOdtohI7Fq0NbryWajCOnM2
=5HQM
-----END PGP SIGNATURE-----
| VAR-201710-0668 | CVE-2017-15361 | Infineon RSA library does not properly generate RSA key pairs |
CVSS V2: 4.3 CVSS V3: 5.9 Severity: MEDIUM |
The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks, aka ROCA. Examples of affected technologies include BitLocker with TPM 1.2, YubiKey 4 (before 4.3.5) PGP key generation, and the Cached User Data encryption feature in Chrome OS. This vulnerability is often cited as "ROCA" in the media. Infineon Made RSA The library contains RSA There is a problem that does not generate the key pair properly. As a result, generated using this library RSA The private key corresponding to the public key may be obtained. Cryptographic issues (CWE-310) - CVE-2017-15361 Infineon Made RSA The library contains RSA There is a problem that does not generate the key pair properly. Using the library RSA When generating a key pair, a more efficient search method than the exhaustive key search can be applied. at least 2048 There is a possibility of obtaining a secret key with a key length of less than or equal to bits. This attack was generated by the library RSA It can be applied simply by obtaining a public key. In addition, this case RSA Problem with key generation ECC ( Elliptic curve cryptography ) Is not affected. Also generated by other devices and libraries RSA key Can also be used safely with this library. The library is Trusted Platform Modules (TPM) Or a smart card. Information on affected vendors is available on the developer's site. For details, refer to the information published by the discoverer. Developer site https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160 Information published by the discoverer https://crocs.fi.muni.cz/public/papers/rsa_ccs17Using the library RSA If a key is generated, there is a possibility that a private key may be obtained by a remote third party. An attacker could exploit this vulnerability to compromise the encryption protection mechanism.
Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03789en_us
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: hpesbhf03789en_us
Version: 2
HPESBHF03789 rev.2 - Certain HPE Gen9 Systems with HP Trusted Platform Module
v2.0 Option, Unauthorized Access to Data
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2017-10-18
Last Updated: 2017-10-17
Potential Security Impact: Local: Unauthorized Access to Data; Remote:
Unauthorized Access to Data
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified in the "HP Trusted
Platform Module 2.0 Option" kit. This optional kit is available for HPE Gen9
systems with firmware version 5.51. The vulnerability in TPM firmware 5.51 is
that new mathematical methods exist such that RSA keys generated by the TPM
2.0 with firmware 5.51 are cryptographically weakened. This vulnerability
could lead to local and remote unauthorized access to data.
References:
- PSRT110605
- PSRT110598
- CVE-2017-15361
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. This is the Gen9 TPM 2.0 option (only Gen9 servers could have this
option). The TPM 2.0 Option for Gen9 servers is not standard on Gen9 servers
- - it is an option.
- HP ProLiant BL460c Gen9 Server Blade n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HP ProLiant BL660c Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HP ProLiant DL120 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HP ProLiant DL160 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HP ProLiant DL360 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HP ProLiant DL380 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HP ProLiant DL388 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HP ProLiant DL580 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HP ProLiant DL60 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HP ProLiant DL80 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HP ProLiant ML110 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HP ProLiant ML150 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HPE Apollo 4200 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant DL180 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant DL180 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant DL20 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant DL560 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant ML10 Gen9 E3-1225 v5 3.3GHz 4-core 8GB-R 1TB Non-hot Plug
4LFF SATA 300W AP Svr/Promo n/a - only if "HPE Trusted Platform Module 2.0
Kit" w/ FW version 5.51 is installed.
- HPE ProLiant ML10 Gen9 E3-1225 v5 4GB-R 1TB Non-hot Plug 4LFF SATA 300W
Svr/S-Buy n/a - only if "HPE Trusted Platform Module 2.0 Kit" w/ FW version
5.51 is installed.
- HPE ProLiant ML10 Gen9 E3-1225 v5 8GB-R 1TB Non-hot Plug 4LFF SATA 300W
Perf Svr n/a - only if "HPE Trusted Platform Module 2.0 Kit" w/ FW version
5.51 is installed.
- HPE ProLiant ML10 Gen9 E3-1225 v5 8GB-R 2TB Non-hot Plug 4LFF SATA 300W
Svr/GO n/a - only if "HPE Trusted Platform Module 2.0 Kit" w/ FW version 5.51
is installed.
- HPE ProLiant ML10 Gen9 E3-1225 v5 8GB-R 2TB Non-hot Plug 4LFF SATA 300W
Svr/TV n/a - only if "HPE Trusted Platform Module 2.0 Kit" w/ FW version 5.51
is installed.
- HPE ProLiant ML10 Gen9 G4400 4GB-R Non-hot Plug 4LFF SATA 300W Entry Svr
n/a - only if "HPE Trusted Platform Module 2.0 Kit" w/ FW version 5.51 is
installed.
- HPE ProLiant ML30 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant ML350 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant ML350 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL170r Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL190r Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL230a Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL230a Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL250a Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL250a Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL260a Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL450 Gen9 Server n/a - only if "HPE Trusted Platform Module
2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL730f Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL730f Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL740f Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL740f Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL750f Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
- HPE ProLiant XL750f Gen9 Server n/a - only if "HPE Trusted Platform
Module 2.0 Kit" w/ FW version 5.51 is installed.
BACKGROUND
CVSS Base Metrics
=================
Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector
CVE-2017-15361
7.4 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)
Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499
RESOLUTION
HPE has provided both an updated system ROM, and updated TPM firmware to
correct this issue for impacted systems. Update the system ROM and "HPE
Trusted Platform Module 2.0 Option" to firmware version 5.62 or subsequent.
The latest version of the System ROM is available, and must be updated before
updating the TPM firmware. Use these instructions:
1.Click the following link:
* <http://www.hpe.com/support/hpesc>
2.Enter a product name (e.g., "DL380 Gen9") in the text field under Enter a
Product Name or Number.
3.Click Go.
4.Select the appropriate product model from the Results list (if prompted).
5.Click the "drivers, software & firmware" hyperlink under the Download
Options tab.
6.Select the system's specific operating system from the Operating Systems
dropdown menu.
7.Click the category BIOS - System ROM.
8.Select the latest release of HPE System ROM Version 2.50 (or later).
9.Click Download.
The latest version of the TPM firmware is available. Use these instructions:
1.Click the following link:
* <http://www.hpe.com/support/hpesc>
2.Enter a product name (e.g., "DL380 Gen9") in the text field under Enter a
Product Name or Number.
3.Click Go.
4.Select the appropriate product model from the Results list (if prompted).
5.Click the "drivers, software & firmware" hyperlink under the Download
Options tab.
6.Select the system's specific operating system from the Operating Systems
dropdown menu.
7.Click the category Firmware.
8.Select the latest release of the HPE Trusted Platform Module 2.0 Option
firmware update for HPE Gen9 Severs Version 5.62 (or later).
9.Click Download.
**Note:**
* After the firmware upgrade, the TPM will generate RSA keys using an
improved algorithm. Revoking the weak TPM generated RSA keys will still be
required. Refer to the OS documentation for OS-specific instructions. In
addition, a System ROM update to version 2.50 (or later) is required before
updating the TPM 2.0 firmware.
* Please refer to the HPE *Customer Bulletin* as well:
- **HPE ProLiant Gen9 Servers** - Potential Vulnerability in the HPE
Trusted Platform Module 2.0 Option Firmware Version 5.51 for HPE ProLiant
Gen9 Servers
<http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=a00028289en_us>
HISTORY
Version:1 (rev.1) - 16 October 2017 Initial release
Version:2 (rev.2) - 17 October 2017 Added CVE reference
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability for any HPE supported
product:
Web form: https://www.hpe.com/info/report-security-vulnerability
Email: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJZ5k72AAoJELXhAxt7SZaiU4EIAKJK3i30Qui8Fqm7/Kr5R/oB
UgW8kg/4EkbEpJ7ewQwjE2gaIMUmo6q2we+mpLU3/4T8+ZcZgxw7hDZqOrOn7V08
rzchXK1oLqdW9vu0BlWrUK6TTWHghW38nwqLHhmxuRavrVR4kYB+ctfFUS3vaSVd
eQWBn6coSrkeToazgtvlPilChl1ygH4NITmLBXPnSbcp8U1yLhF+j0eUKLcZnR8l
OMi65CVCNWCcSL3NV6x4NXvREmehKXGqgokGUe6rBWucU+A21W66GhsnhC5ysa4j
SR8Ungf0W1QihfW3+Jijiu5hC7mrcZrGi+AZAvJDb4S5zvfM+hVUZNuEGa6nzVM=
=KoaT
-----END PGP SIGNATURE-----
| VAR-201710-0975 | CVE-2017-13088 |
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Related entries in the VARIoT exploits database: VAR-E-201710-0481 |
CVSS V2: 2.9 CVSS V3: 5.3 Severity: MEDIUM |
Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks. WPA (Wi-Fi Protected Access) is a system that protects wireless computer networks (Wi-Fi). The WIG2 wireless network sleep mode has an IGTK key complete reload vulnerability. WPA2 is prone to multiple security weaknesses.
Exploiting these issues may allow an unauthorized user to intercept and manipulate data or disclose sensitive information. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: wpa_supplicant security update
Advisory ID: RHSA-2017:2907-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2907
Issue date: 2017-10-17
CVE Names: CVE-2017-13077 CVE-2017-13078 CVE-2017-13080
CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088
=====================================================================
1. Summary:
An update for wpa_supplicant is now available for Red Hat Enterprise Linux
7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
The wpa_supplicant packages contain an 802.1X Supplicant with support for
WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication
methods. They implement key negotiation with a WPA Authenticator for client
stations and controls the roaming and IEEE 802.11 authentication and
association of the WLAN driver. A remote attacker within Wi-Fi range
could exploit these attacks to decrypt Wi-Fi traffic or possibly inject
forged Wi-Fi packets by manipulating cryptographic handshakes used by the
WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Red Hat would like to thank CERT for reporting these issues. Upstream
acknowledges Mathy Vanhoef (University of Leuven) as the original reporter
of these issues. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
aarch64:
wpa_supplicant-2.6-5.el7_4.1.aarch64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.aarch64.rpm
ppc64:
wpa_supplicant-2.6-5.el7_4.1.ppc64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64.rpm
ppc64le:
wpa_supplicant-2.6-5.el7_4.1.ppc64le.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64le.rpm
s390x:
wpa_supplicant-2.6-5.el7_4.1.s390x.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.s390x.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-13077
https://access.redhat.com/security/cve/CVE-2017-13078
https://access.redhat.com/security/cve/CVE-2017-13080
https://access.redhat.com/security/cve/CVE-2017-13082
https://access.redhat.com/security/cve/CVE-2017-13086
https://access.redhat.com/security/cve/CVE-2017-13087
https://access.redhat.com/security/cve/CVE-2017-13088
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/kracks
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).
An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.
For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.
For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.
For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.
We recommend that you upgrade your wpa packages. ==========================================================================
Ubuntu Security Notice USN-3455-1
October 16, 2017
wpa vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in wpa_supplicant.
Software Description:
- wpa: client support for WPA and WPA2
Details:
Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
handled WPA2. (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A remote attacker could use
this issue to cause a denial of service. (CVE-2016-4476)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A local attacker could use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2016-4477)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
hostapd 2.4-0ubuntu9.1
wpasupplicant 2.4-0ubuntu9.1
Ubuntu 16.04 LTS:
hostapd 2.4-0ubuntu6.2
wpasupplicant 2.4-0ubuntu6.2
Ubuntu 14.04 LTS:
hostapd 2.1-0ubuntu1.5
wpasupplicant 2.1-0ubuntu1.5
After a standard system update you need to reboot your computer to make
all the necessary changes.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz: Upgraded.
This update includes patches to mitigate the WPA2 protocol issues known
as "KRACK" (Key Reinstallation AttaCK), which may be used to decrypt data,
hijack TCP connections, and to forge and inject packets.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT)
Reassociation Request and reinstalling the pairwise encryption key (PTK-TK)
while processing it.
For more information, see:
https://www.krackattacks.com/
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/wpa_supplicant-2.6-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/wpa_supplicant-2.6-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/wpa_supplicant-2.6-i586-2.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/wpa_supplicant-2.6-x86_64-2.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
d8ecfaadb50b3547967ab53733ffc019 wpa_supplicant-2.6-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
f25216d28800504ce498705da7c9a825 wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Slackware 14.1 package:
15c61050e4bab2581757befd86be74c0 wpa_supplicant-2.6-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
49fd537a520338744f7757615556d352 wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Slackware 14.2 package:
c5539f40c8510af89be92945f0f80185 wpa_supplicant-2.6-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
4c527ff84fcdfd7839f217bbce2e4ae4 wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Slackware -current package:
28bd88a54e96368f7a7020c1f5fb67fe n/wpa_supplicant-2.6-i586-2.txz
Slackware x86_64 -current package:
464fc6b48d1ac077f47e9a3a8534c160 n/wpa_supplicant-2.6-x86_64-2.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg wpa_supplicant-2.6-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:07.wpa Security Advisory
The FreeBSD Project
Topic: WPA2 protocol vulnerability
Category: contrib
Module: wpa
Announced: 2017-10-16
Credits: Mathy Vanhoef
Affects: All supported versions of FreeBSD.
Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE)
2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2)
2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13)
2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE)
2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1)
2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22)
CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2017-10-17 Initial release.
v1.1 2017-10-19 Add patches for 10.x releases.
I.
hostapd and wpa_supplicant are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.
II. Problem Description
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
III. Impact
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
IV. Workaround
An updated version of wpa_supplicant is available in the FreeBSD Ports
Collection. Install version 2.6_2 or later of the
security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf
to use the new binary:
wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"
and restart networking.
An updated version of hostapd is available in the FreeBSD Ports
Collection. Install version 2.6_1 or later of the net/hostapd port/pkg.
Once installed, update /etc/rc.conf to use the new binary:
hostapd_program="/usr/local/sbin/hostapd"
and restart hostapd.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc
[FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc
# gpg --verify wpa-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r324697
releng/11.0/ r324698
releng/11.1/ r324699
stable/10/ r324739
releng/10.3/ r324740
releng/10.4/ r324741
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt>
<URL:https://www.krackattacks.com/>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnoGpNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
auc7WBAAm27w+fujv5sJsRxauUMopTVtRh5utwbDuoHTP+L+RCWmQfVBmueNQ0gf
uJzMNxBIkbtY9LvyukpRsH3iD7mh26c0pd9rxxkkr4F96C9B5+W0amxJF1gdm54/
F/50FpY+lo7cNs5tiBjypPrg8UOBBI/1G4XR7130XC0HjaTwt1ngZ0oQUWUMSsIp
gN5ZfPul81WPWd1NqF+vyObcJhwq/Y1uoexoO27o7GQCFZoL3enZy8c4f1xqMlVM
4HHkTgNGac6E0aW+ArH4J0DFFAOJXPqF8rdt+9XINfoBbtliIyOixJ4oh1n6eAR0
VpBWZKFNyXSlUKIvDGa+LDhxgL1jJXV0ABSyKlUOijdmr3bbbiQE9MW/MNv2AFTd
OAFQ0QQtm9KCWp5JLh+FPIb/kR2l7MOUP+yz4zFcJpdGtl9tDLyPN8vRTq60bY8O
y7tBcf/SMqkd/AIFdchL4zrOguKnRARydIlwTarp8wtAQI3MKSsa1B0wgsDtlL6K
xfdjnwWMKvKKlNOW16e1WXXO0n/ucHV4njBE+bGPro3jLgXP2/WFZpIGAR3I4xrr
SdD4AxSNiR9f3bL7LRfMIbugJAylWNSlTLWUOVUv0/ONh85LqbcCj13NI230B64K
ETx2QOZgKnCs2oDNiw4aQHb7kvi2w94Iw/R1sAPkkxYJWO3reyE=
=h/5q
-----END PGP SIGNATURE-----
| VAR-201710-0974 | CVE-2017-13087 |
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Related entries in the VARIoT exploits database: VAR-E-201710-0481 |
CVSS V2: 2.9 CVSS V3: 5.3 Severity: MEDIUM |
Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks. WPA (Wi-Fi Protected Access) is a system that protects wireless computer networks (Wi-Fi). A group key reload vulnerability exists in WPA2 wireless network sleep mode. WPA2 is prone to multiple security weaknesses.
Exploiting these issues may allow an unauthorized user to intercept and manipulate data or disclose sensitive information. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: wpa_supplicant security update
Advisory ID: RHSA-2017:2907-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2907
Issue date: 2017-10-17
CVE Names: CVE-2017-13077 CVE-2017-13078 CVE-2017-13080
CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088
=====================================================================
1. Summary:
An update for wpa_supplicant is now available for Red Hat Enterprise Linux
7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
The wpa_supplicant packages contain an 802.1X Supplicant with support for
WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication
methods. They implement key negotiation with a WPA Authenticator for client
stations and controls the roaming and IEEE 802.11 authentication and
association of the WLAN driver. A remote attacker within Wi-Fi range
could exploit these attacks to decrypt Wi-Fi traffic or possibly inject
forged Wi-Fi packets by manipulating cryptographic handshakes used by the
WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Red Hat would like to thank CERT for reporting these issues. Upstream
acknowledges Mathy Vanhoef (University of Leuven) as the original reporter
of these issues. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
aarch64:
wpa_supplicant-2.6-5.el7_4.1.aarch64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.aarch64.rpm
ppc64:
wpa_supplicant-2.6-5.el7_4.1.ppc64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64.rpm
ppc64le:
wpa_supplicant-2.6-5.el7_4.1.ppc64le.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64le.rpm
s390x:
wpa_supplicant-2.6-5.el7_4.1.s390x.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.s390x.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-13077
https://access.redhat.com/security/cve/CVE-2017-13078
https://access.redhat.com/security/cve/CVE-2017-13080
https://access.redhat.com/security/cve/CVE-2017-13082
https://access.redhat.com/security/cve/CVE-2017-13086
https://access.redhat.com/security/cve/CVE-2017-13087
https://access.redhat.com/security/cve/CVE-2017-13088
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/kracks
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).
An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.
For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.
For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.
For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.
We recommend that you upgrade your wpa packages. ==========================================================================
Ubuntu Security Notice USN-3455-1
October 16, 2017
wpa vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in wpa_supplicant.
Software Description:
- wpa: client support for WPA and WPA2
Details:
Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
handled WPA2. (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A remote attacker could use
this issue to cause a denial of service. (CVE-2016-4476)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A local attacker could use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2016-4477)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
hostapd 2.4-0ubuntu9.1
wpasupplicant 2.4-0ubuntu9.1
Ubuntu 16.04 LTS:
hostapd 2.4-0ubuntu6.2
wpasupplicant 2.4-0ubuntu6.2
Ubuntu 14.04 LTS:
hostapd 2.1-0ubuntu1.5
wpasupplicant 2.1-0ubuntu1.5
After a standard system update you need to reboot your computer to make
all the necessary changes. 6) - i386, x86_64
3.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz: Upgraded.
This update includes patches to mitigate the WPA2 protocol issues known
as "KRACK" (Key Reinstallation AttaCK), which may be used to decrypt data,
hijack TCP connections, and to forge and inject packets.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT)
Reassociation Request and reinstalling the pairwise encryption key (PTK-TK)
while processing it.
For more information, see:
https://www.krackattacks.com/
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/wpa_supplicant-2.6-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/wpa_supplicant-2.6-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/wpa_supplicant-2.6-i586-2.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/wpa_supplicant-2.6-x86_64-2.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
d8ecfaadb50b3547967ab53733ffc019 wpa_supplicant-2.6-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
f25216d28800504ce498705da7c9a825 wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Slackware 14.1 package:
15c61050e4bab2581757befd86be74c0 wpa_supplicant-2.6-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
49fd537a520338744f7757615556d352 wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Slackware 14.2 package:
c5539f40c8510af89be92945f0f80185 wpa_supplicant-2.6-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
4c527ff84fcdfd7839f217bbce2e4ae4 wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Slackware -current package:
28bd88a54e96368f7a7020c1f5fb67fe n/wpa_supplicant-2.6-i586-2.txz
Slackware x86_64 -current package:
464fc6b48d1ac077f47e9a3a8534c160 n/wpa_supplicant-2.6-x86_64-2.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg wpa_supplicant-2.6-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:07.wpa Security Advisory
The FreeBSD Project
Topic: WPA2 protocol vulnerability
Category: contrib
Module: wpa
Announced: 2017-10-16
Credits: Mathy Vanhoef
Affects: All supported versions of FreeBSD.
Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE)
2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2)
2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13)
2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE)
2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1)
2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22)
CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2017-10-17 Initial release.
v1.1 2017-10-19 Add patches for 10.x releases.
I.
hostapd and wpa_supplicant are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.
II. Problem Description
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
III. Impact
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
IV. Workaround
An updated version of wpa_supplicant is available in the FreeBSD Ports
Collection. Install version 2.6_2 or later of the
security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf
to use the new binary:
wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"
and restart networking.
An updated version of hostapd is available in the FreeBSD Ports
Collection. Install version 2.6_1 or later of the net/hostapd port/pkg.
Once installed, update /etc/rc.conf to use the new binary:
hostapd_program="/usr/local/sbin/hostapd"
and restart hostapd.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc
[FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc
# gpg --verify wpa-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r324697
releng/11.0/ r324698
releng/11.1/ r324699
stable/10/ r324739
releng/10.3/ r324740
releng/10.4/ r324741
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt>
<URL:https://www.krackattacks.com/>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnoGpNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
auc7WBAAm27w+fujv5sJsRxauUMopTVtRh5utwbDuoHTP+L+RCWmQfVBmueNQ0gf
uJzMNxBIkbtY9LvyukpRsH3iD7mh26c0pd9rxxkkr4F96C9B5+W0amxJF1gdm54/
F/50FpY+lo7cNs5tiBjypPrg8UOBBI/1G4XR7130XC0HjaTwt1ngZ0oQUWUMSsIp
gN5ZfPul81WPWd1NqF+vyObcJhwq/Y1uoexoO27o7GQCFZoL3enZy8c4f1xqMlVM
4HHkTgNGac6E0aW+ArH4J0DFFAOJXPqF8rdt+9XINfoBbtliIyOixJ4oh1n6eAR0
VpBWZKFNyXSlUKIvDGa+LDhxgL1jJXV0ABSyKlUOijdmr3bbbiQE9MW/MNv2AFTd
OAFQ0QQtm9KCWp5JLh+FPIb/kR2l7MOUP+yz4zFcJpdGtl9tDLyPN8vRTq60bY8O
y7tBcf/SMqkd/AIFdchL4zrOguKnRARydIlwTarp8wtAQI3MKSsa1B0wgsDtlL6K
xfdjnwWMKvKKlNOW16e1WXXO0n/ucHV4njBE+bGPro3jLgXP2/WFZpIGAR3I4xrr
SdD4AxSNiR9f3bL7LRfMIbugJAylWNSlTLWUOVUv0/ONh85LqbcCj13NI230B64K
ETx2QOZgKnCs2oDNiw4aQHb7kvi2w94Iw/R1sAPkkxYJWO3reyE=
=h/5q
-----END PGP SIGNATURE-----
| VAR-201710-0214 | CVE-2017-13086 |
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Related entries in the VARIoT exploits database: VAR-E-201710-0481 |
CVSS V2: 5.4 CVSS V3: 6.8 Severity: MEDIUM |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks. WPA (Wi-Fi Protected Access) is a system that protects wireless computer networks (Wi-Fi). The WPA2 wireless network re-installs the tunnel in the TDLS handshake. The TPK key vulnerability exists when the PeerKey is set up directly. WPA2 is prone to multiple security weaknesses.
Exploiting these issues may allow an unauthorized user to intercept and manipulate data or disclose sensitive information. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: wpa_supplicant security update
Advisory ID: RHSA-2017:2907-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2907
Issue date: 2017-10-17
CVE Names: CVE-2017-13077 CVE-2017-13078 CVE-2017-13080
CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088
=====================================================================
1. Summary:
An update for wpa_supplicant is now available for Red Hat Enterprise Linux
7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
The wpa_supplicant packages contain an 802.1X Supplicant with support for
WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication
methods. They implement key negotiation with a WPA Authenticator for client
stations and controls the roaming and IEEE 802.11 authentication and
association of the WLAN driver. A remote attacker within Wi-Fi range
could exploit these attacks to decrypt Wi-Fi traffic or possibly inject
forged Wi-Fi packets by manipulating cryptographic handshakes used by the
WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Red Hat would like to thank CERT for reporting these issues. Upstream
acknowledges Mathy Vanhoef (University of Leuven) as the original reporter
of these issues. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1491692 - CVE-2017-13077 wpa_supplicant: Reinstallation of the pairwise key in the 4-way handshake
1491693 - CVE-2017-13078 wpa_supplicant: Reinstallation of the group key in the 4-way handshake
1491696 - CVE-2017-13080 wpa_supplicant: Reinstallation of the group key in the group key handshake
1491698 - CVE-2017-13082 wpa_supplicant: Accepting a retransmitted FT Reassociation Request and reinstalling the pairwise key while processing it
1500302 - CVE-2017-13086 wpa_supplicant: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
1500303 - CVE-2017-13087 wpa_supplicant: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
1500304 - CVE-2017-13088 wpa_supplicant: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
aarch64:
wpa_supplicant-2.6-5.el7_4.1.aarch64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.aarch64.rpm
ppc64:
wpa_supplicant-2.6-5.el7_4.1.ppc64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64.rpm
ppc64le:
wpa_supplicant-2.6-5.el7_4.1.ppc64le.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64le.rpm
s390x:
wpa_supplicant-2.6-5.el7_4.1.s390x.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.s390x.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-13077
https://access.redhat.com/security/cve/CVE-2017-13078
https://access.redhat.com/security/cve/CVE-2017-13080
https://access.redhat.com/security/cve/CVE-2017-13082
https://access.redhat.com/security/cve/CVE-2017-13086
https://access.redhat.com/security/cve/CVE-2017-13087
https://access.redhat.com/security/cve/CVE-2017-13088
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/kracks
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).
An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.
For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.
For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.
For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.
We recommend that you upgrade your wpa packages. ==========================================================================
Ubuntu Security Notice USN-3455-1
October 16, 2017
wpa vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in wpa_supplicant.
Software Description:
- wpa: client support for WPA and WPA2
Details:
Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
handled WPA2. (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A remote attacker could use
this issue to cause a denial of service. (CVE-2016-4476)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A local attacker could use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2016-4477)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
hostapd 2.4-0ubuntu9.1
wpasupplicant 2.4-0ubuntu9.1
Ubuntu 16.04 LTS:
hostapd 2.4-0ubuntu6.2
wpasupplicant 2.4-0ubuntu6.2
Ubuntu 14.04 LTS:
hostapd 2.1-0ubuntu1.5
wpasupplicant 2.1-0ubuntu1.5
After a standard system update you need to reboot your computer to make
all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:07.wpa Security Advisory
The FreeBSD Project
Topic: WPA2 protocol vulnerability
Category: contrib
Module: wpa
Announced: 2017-10-16
Credits: Mathy Vanhoef
Affects: All supported versions of FreeBSD.
Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE)
2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2)
2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13)
2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE)
2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1)
2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22)
CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2017-10-17 Initial release.
v1.1 2017-10-19 Add patches for 10.x releases.
I.
hostapd and wpa_supplicant are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.
II. Problem Description
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
III. Impact
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
IV. Workaround
An updated version of wpa_supplicant is available in the FreeBSD Ports
Collection. Install version 2.6_2 or later of the
security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf
to use the new binary:
wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"
and restart networking.
An updated version of hostapd is available in the FreeBSD Ports
Collection. Install version 2.6_1 or later of the net/hostapd port/pkg.
Once installed, update /etc/rc.conf to use the new binary:
hostapd_program="/usr/local/sbin/hostapd"
and restart hostapd.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc
[FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc
# gpg --verify wpa-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r324697
releng/11.0/ r324698
releng/11.1/ r324699
stable/10/ r324739
releng/10.3/ r324740
releng/10.4/ r324741
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt>
<URL:https://www.krackattacks.com/>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnoGpNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
auc7WBAAm27w+fujv5sJsRxauUMopTVtRh5utwbDuoHTP+L+RCWmQfVBmueNQ0gf
uJzMNxBIkbtY9LvyukpRsH3iD7mh26c0pd9rxxkkr4F96C9B5+W0amxJF1gdm54/
F/50FpY+lo7cNs5tiBjypPrg8UOBBI/1G4XR7130XC0HjaTwt1ngZ0oQUWUMSsIp
gN5ZfPul81WPWd1NqF+vyObcJhwq/Y1uoexoO27o7GQCFZoL3enZy8c4f1xqMlVM
4HHkTgNGac6E0aW+ArH4J0DFFAOJXPqF8rdt+9XINfoBbtliIyOixJ4oh1n6eAR0
VpBWZKFNyXSlUKIvDGa+LDhxgL1jJXV0ABSyKlUOijdmr3bbbiQE9MW/MNv2AFTd
OAFQ0QQtm9KCWp5JLh+FPIb/kR2l7MOUP+yz4zFcJpdGtl9tDLyPN8vRTq60bY8O
y7tBcf/SMqkd/AIFdchL4zrOguKnRARydIlwTarp8wtAQI3MKSsa1B0wgsDtlL6K
xfdjnwWMKvKKlNOW16e1WXXO0n/ucHV4njBE+bGPro3jLgXP2/WFZpIGAR3I4xrr
SdD4AxSNiR9f3bL7LRfMIbugJAylWNSlTLWUOVUv0/ONh85LqbcCj13NI230B64K
ETx2QOZgKnCs2oDNiw4aQHb7kvi2w94Iw/R1sAPkkxYJWO3reyE=
=h/5q
-----END PGP SIGNATURE-----
.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz: Upgraded.
This update includes patches to mitigate the WPA2 protocol issues known
as "KRACK" (Key Reinstallation AttaCK), which may be used to decrypt data,
hijack TCP connections, and to forge and inject packets.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT)
Reassociation Request and reinstalling the pairwise encryption key (PTK-TK)
while processing it.
For more information, see:
https://www.krackattacks.com/
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/wpa_supplicant-2.6-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/wpa_supplicant-2.6-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/wpa_supplicant-2.6-i586-2.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/wpa_supplicant-2.6-x86_64-2.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
d8ecfaadb50b3547967ab53733ffc019 wpa_supplicant-2.6-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
f25216d28800504ce498705da7c9a825 wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Slackware 14.1 package:
15c61050e4bab2581757befd86be74c0 wpa_supplicant-2.6-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
49fd537a520338744f7757615556d352 wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Slackware 14.2 package:
c5539f40c8510af89be92945f0f80185 wpa_supplicant-2.6-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
4c527ff84fcdfd7839f217bbce2e4ae4 wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Slackware -current package:
28bd88a54e96368f7a7020c1f5fb67fe n/wpa_supplicant-2.6-i586-2.txz
Slackware x86_64 -current package:
464fc6b48d1ac077f47e9a3a8534c160 n/wpa_supplicant-2.6-x86_64-2.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg wpa_supplicant-2.6-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address
| VAR-201710-0212 | CVE-2017-13079 |
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Related entries in the VARIoT exploits database: VAR-E-201710-0481 |
CVSS V2: 2.9 CVSS V3: 5.3 Severity: MEDIUM |
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks. WPA (Wi-Fi Protected Access) is a system that protects wireless computer networks (Wi-Fi). There is an IGTK group key reloading vulnerability in the fourth handshake of the WPA2 wireless network. WPA2 is prone to multiple security weaknesses.
Exploiting these issues may allow an unauthorized user to intercept and manipulate data or disclose sensitive information. Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).
An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.
For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.
For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.
For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.
We recommend that you upgrade your wpa packages. ==========================================================================
Ubuntu Security Notice USN-3455-1
October 16, 2017
wpa vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in wpa_supplicant.
Software Description:
- wpa: client support for WPA and WPA2
Details:
Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
handled WPA2. (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A remote attacker could use
this issue to cause a denial of service. (CVE-2016-4476)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A local attacker could use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2016-4477)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
hostapd 2.4-0ubuntu9.1
wpasupplicant 2.4-0ubuntu9.1
Ubuntu 16.04 LTS:
hostapd 2.4-0ubuntu6.2
wpasupplicant 2.4-0ubuntu6.2
Ubuntu 14.04 LTS:
hostapd 2.1-0ubuntu1.5
wpasupplicant 2.1-0ubuntu1.5
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3455-1
CVE-2016-4476, CVE-2016-4477, CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
Package Information:
https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu9.1
https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.2
https://launchpad.net/ubuntu/+source/wpa/2.1-0ubuntu1.5
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201711-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: hostapd and wpa_supplicant: Key Reinstallation (KRACK)
attacks
Date: November 10, 2017
Bugs: #634436, #634438
ID: 201711-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A flaw was discovered in the 4-way handshake in hostapd and
wpa_supplicant that allows attackers to conduct a Man in the Middle
attack.
Background
==========
wpa_supplicant is a WPA Supplicant with support for WPA and WPA2 (IEEE
802.11i / RSN).
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-wireless/hostapd < 2.6-r1 >= 2.6-r1
2 net-wireless/wpa_supplicant
< 2.6-r3 >= 2.6-r3
-------------------------------------------------------------------
2 affected packages
Description
===========
WiFi Protected Access (WPA and WPA2) and it's associated technologies
are all vulnerable to the KRACK attacks. Please review the referenced
CVE identifiers for details.
Impact
======
An attacker can carry out the KRACK attacks on a wireless network in
order to gain access to network clients. Once achieved, the attacker
can potentially harvest confidential information (e.g. HTTP/HTTPS),
inject malware, or perform a myriad of other attacks.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All hostapd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-wireless/hostapd-2.6-r1"
All wpa_supplicant users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=net-wireless/wpa_supplicant-2.6-r3"
References
==========
[ 1 ] CVE-2017-13077
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13077
[ 2 ] CVE-2017-13078
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13078
[ 3 ] CVE-2017-13079
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13079
[ 4 ] CVE-2017-13080
.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz: Upgraded.
This update includes patches to mitigate the WPA2 protocol issues known
as "KRACK" (Key Reinstallation AttaCK), which may be used to decrypt data,
hijack TCP connections, and to forge and inject packets. This is the
list of vulnerabilities that are addressed here:
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the
4-way handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT)
Reassociation Request and reinstalling the pairwise encryption key (PTK-TK)
while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS)
PeerKey (TPK) key in the TDLS handshake.
For more information, see:
https://www.krackattacks.com/
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/wpa_supplicant-2.6-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/wpa_supplicant-2.6-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/wpa_supplicant-2.6-i586-2.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/wpa_supplicant-2.6-x86_64-2.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
d8ecfaadb50b3547967ab53733ffc019 wpa_supplicant-2.6-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
f25216d28800504ce498705da7c9a825 wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Slackware 14.1 package:
15c61050e4bab2581757befd86be74c0 wpa_supplicant-2.6-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
49fd537a520338744f7757615556d352 wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Slackware 14.2 package:
c5539f40c8510af89be92945f0f80185 wpa_supplicant-2.6-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
4c527ff84fcdfd7839f217bbce2e4ae4 wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Slackware -current package:
28bd88a54e96368f7a7020c1f5fb67fe n/wpa_supplicant-2.6-i586-2.txz
Slackware x86_64 -current package:
464fc6b48d1ac077f47e9a3a8534c160 n/wpa_supplicant-2.6-x86_64-2.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg wpa_supplicant-2.6-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:07.wpa Security Advisory
The FreeBSD Project
Topic: WPA2 protocol vulnerability
Category: contrib
Module: wpa
Announced: 2017-10-16
Credits: Mathy Vanhoef
Affects: All supported versions of FreeBSD.
Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE)
2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2)
2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13)
2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE)
2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1)
2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22)
CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2017-10-17 Initial release.
v1.1 2017-10-19 Add patches for 10.x releases.
I.
hostapd and wpa_supplicant are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.
II. Problem Description
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
III. Impact
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
IV. Workaround
An updated version of wpa_supplicant is available in the FreeBSD Ports
Collection. Install version 2.6_2 or later of the
security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf
to use the new binary:
wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"
and restart networking.
An updated version of hostapd is available in the FreeBSD Ports
Collection. Install version 2.6_1 or later of the net/hostapd port/pkg.
Once installed, update /etc/rc.conf to use the new binary:
hostapd_program="/usr/local/sbin/hostapd"
and restart hostapd.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc
[FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc
# gpg --verify wpa-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r324697
releng/11.0/ r324698
releng/11.1/ r324699
stable/10/ r324739
releng/10.3/ r324740
releng/10.4/ r324741
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt>
<URL:https://www.krackattacks.com/>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnoGpNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
auc7WBAAm27w+fujv5sJsRxauUMopTVtRh5utwbDuoHTP+L+RCWmQfVBmueNQ0gf
uJzMNxBIkbtY9LvyukpRsH3iD7mh26c0pd9rxxkkr4F96C9B5+W0amxJF1gdm54/
F/50FpY+lo7cNs5tiBjypPrg8UOBBI/1G4XR7130XC0HjaTwt1ngZ0oQUWUMSsIp
gN5ZfPul81WPWd1NqF+vyObcJhwq/Y1uoexoO27o7GQCFZoL3enZy8c4f1xqMlVM
4HHkTgNGac6E0aW+ArH4J0DFFAOJXPqF8rdt+9XINfoBbtliIyOixJ4oh1n6eAR0
VpBWZKFNyXSlUKIvDGa+LDhxgL1jJXV0ABSyKlUOijdmr3bbbiQE9MW/MNv2AFTd
OAFQ0QQtm9KCWp5JLh+FPIb/kR2l7MOUP+yz4zFcJpdGtl9tDLyPN8vRTq60bY8O
y7tBcf/SMqkd/AIFdchL4zrOguKnRARydIlwTarp8wtAQI3MKSsa1B0wgsDtlL6K
xfdjnwWMKvKKlNOW16e1WXXO0n/ucHV4njBE+bGPro3jLgXP2/WFZpIGAR3I4xrr
SdD4AxSNiR9f3bL7LRfMIbugJAylWNSlTLWUOVUv0/ONh85LqbcCj13NI230B64K
ETx2QOZgKnCs2oDNiw4aQHb7kvi2w94Iw/R1sAPkkxYJWO3reyE=
=h/5q
-----END PGP SIGNATURE-----
| VAR-201710-0209 | CVE-2017-13082 |
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Related entries in the VARIoT exploits database: VAR-E-201710-0481 |
CVSS V2: 5.8 CVSS V3: 8.1 Severity: HIGH |
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. Wi-Fi Protected Access (WPA, more commonly WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks. WPA (Wi-Fi Protected Access) is a system that protects wireless computer networks (Wi-Fi). The PTK-TK encryption key reloading vulnerability exists when the WPA2 wireless network receives and processes the retransmitted fast BSS transition reassociation request. WPA2 is prone to multiple security weaknesses.
Exploiting these issues may allow an unauthorized user to intercept and manipulate data or disclose sensitive information. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: wpa_supplicant security update
Advisory ID: RHSA-2017:2907-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2907
Issue date: 2017-10-17
CVE Names: CVE-2017-13077 CVE-2017-13078 CVE-2017-13080
CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088
=====================================================================
1. Summary:
An update for wpa_supplicant is now available for Red Hat Enterprise Linux
7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
The wpa_supplicant packages contain an 802.1X Supplicant with support for
WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication
methods. They implement key negotiation with a WPA Authenticator for client
stations and controls the roaming and IEEE 802.11 authentication and
association of the WLAN driver. A remote attacker within Wi-Fi range
could exploit these attacks to decrypt Wi-Fi traffic or possibly inject
forged Wi-Fi packets by manipulating cryptographic handshakes used by the
WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Red Hat would like to thank CERT for reporting these issues. Upstream
acknowledges Mathy Vanhoef (University of Leuven) as the original reporter
of these issues. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1491692 - CVE-2017-13077 wpa_supplicant: Reinstallation of the pairwise key in the 4-way handshake
1491693 - CVE-2017-13078 wpa_supplicant: Reinstallation of the group key in the 4-way handshake
1491696 - CVE-2017-13080 wpa_supplicant: Reinstallation of the group key in the group key handshake
1491698 - CVE-2017-13082 wpa_supplicant: Accepting a retransmitted FT Reassociation Request and reinstalling the pairwise key while processing it
1500302 - CVE-2017-13086 wpa_supplicant: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
1500303 - CVE-2017-13087 wpa_supplicant: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
1500304 - CVE-2017-13088 wpa_supplicant: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
aarch64:
wpa_supplicant-2.6-5.el7_4.1.aarch64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.aarch64.rpm
ppc64:
wpa_supplicant-2.6-5.el7_4.1.ppc64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64.rpm
ppc64le:
wpa_supplicant-2.6-5.el7_4.1.ppc64le.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64le.rpm
s390x:
wpa_supplicant-2.6-5.el7_4.1.s390x.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.s390x.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-13077
https://access.redhat.com/security/cve/CVE-2017-13078
https://access.redhat.com/security/cve/CVE-2017-13080
https://access.redhat.com/security/cve/CVE-2017-13082
https://access.redhat.com/security/cve/CVE-2017-13086
https://access.redhat.com/security/cve/CVE-2017-13087
https://access.redhat.com/security/cve/CVE-2017-13088
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/kracks
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).
An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.
For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.
For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.
For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.
We recommend that you upgrade your wpa packages. ==========================================================================
Ubuntu Security Notice USN-3455-1
October 16, 2017
wpa vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in wpa_supplicant.
Software Description:
- wpa: client support for WPA and WPA2
Details:
Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
handled WPA2. (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A remote attacker could use
this issue to cause a denial of service. (CVE-2016-4476)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A local attacker could use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2016-4477)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
hostapd 2.4-0ubuntu9.1
wpasupplicant 2.4-0ubuntu9.1
Ubuntu 16.04 LTS:
hostapd 2.4-0ubuntu6.2
wpasupplicant 2.4-0ubuntu6.2
Ubuntu 14.04 LTS:
hostapd 2.1-0ubuntu1.5
wpasupplicant 2.1-0ubuntu1.5
After a standard system update you need to reboot your computer to make
all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:07.wpa Security Advisory
The FreeBSD Project
Topic: WPA2 protocol vulnerability
Category: contrib
Module: wpa
Announced: 2017-10-16
Credits: Mathy Vanhoef
Affects: All supported versions of FreeBSD.
Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE)
2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2)
2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13)
2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE)
2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1)
2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22)
CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2017-10-17 Initial release.
v1.1 2017-10-19 Add patches for 10.x releases.
I.
hostapd and wpa_supplicant are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.
II. Problem Description
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
III. Impact
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
IV. Workaround
An updated version of wpa_supplicant is available in the FreeBSD Ports
Collection. Install version 2.6_2 or later of the
security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf
to use the new binary:
wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"
and restart networking.
An updated version of hostapd is available in the FreeBSD Ports
Collection. Install version 2.6_1 or later of the net/hostapd port/pkg.
Once installed, update /etc/rc.conf to use the new binary:
hostapd_program="/usr/local/sbin/hostapd"
and restart hostapd.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc
[FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc
# gpg --verify wpa-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r324697
releng/11.0/ r324698
releng/11.1/ r324699
stable/10/ r324739
releng/10.3/ r324740
releng/10.4/ r324741
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt>
<URL:https://www.krackattacks.com/>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnoGpNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
auc7WBAAm27w+fujv5sJsRxauUMopTVtRh5utwbDuoHTP+L+RCWmQfVBmueNQ0gf
uJzMNxBIkbtY9LvyukpRsH3iD7mh26c0pd9rxxkkr4F96C9B5+W0amxJF1gdm54/
F/50FpY+lo7cNs5tiBjypPrg8UOBBI/1G4XR7130XC0HjaTwt1ngZ0oQUWUMSsIp
gN5ZfPul81WPWd1NqF+vyObcJhwq/Y1uoexoO27o7GQCFZoL3enZy8c4f1xqMlVM
4HHkTgNGac6E0aW+ArH4J0DFFAOJXPqF8rdt+9XINfoBbtliIyOixJ4oh1n6eAR0
VpBWZKFNyXSlUKIvDGa+LDhxgL1jJXV0ABSyKlUOijdmr3bbbiQE9MW/MNv2AFTd
OAFQ0QQtm9KCWp5JLh+FPIb/kR2l7MOUP+yz4zFcJpdGtl9tDLyPN8vRTq60bY8O
y7tBcf/SMqkd/AIFdchL4zrOguKnRARydIlwTarp8wtAQI3MKSsa1B0wgsDtlL6K
xfdjnwWMKvKKlNOW16e1WXXO0n/ucHV4njBE+bGPro3jLgXP2/WFZpIGAR3I4xrr
SdD4AxSNiR9f3bL7LRfMIbugJAylWNSlTLWUOVUv0/ONh85LqbcCj13NI230B64K
ETx2QOZgKnCs2oDNiw4aQHb7kvi2w94Iw/R1sAPkkxYJWO3reyE=
=h/5q
-----END PGP SIGNATURE-----
.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz: Upgraded.
This update includes patches to mitigate the WPA2 protocol issues known
as "KRACK" (Key Reinstallation AttaCK), which may be used to decrypt data,
hijack TCP connections, and to forge and inject packets.
For more information, see:
https://www.krackattacks.com/
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/wpa_supplicant-2.6-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/wpa_supplicant-2.6-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/wpa_supplicant-2.6-i586-2.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/wpa_supplicant-2.6-x86_64-2.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
d8ecfaadb50b3547967ab53733ffc019 wpa_supplicant-2.6-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
f25216d28800504ce498705da7c9a825 wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Slackware 14.1 package:
15c61050e4bab2581757befd86be74c0 wpa_supplicant-2.6-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
49fd537a520338744f7757615556d352 wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Slackware 14.2 package:
c5539f40c8510af89be92945f0f80185 wpa_supplicant-2.6-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
4c527ff84fcdfd7839f217bbce2e4ae4 wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Slackware -current package:
28bd88a54e96368f7a7020c1f5fb67fe n/wpa_supplicant-2.6-i586-2.txz
Slackware x86_64 -current package:
464fc6b48d1ac077f47e9a3a8534c160 n/wpa_supplicant-2.6-x86_64-2.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg wpa_supplicant-2.6-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address
| VAR-201710-0208 | CVE-2017-13081 |
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Related entries in the VARIoT exploits database: VAR-E-201710-0481 |
CVSS V2: 2.9 CVSS V3: 5.3 Severity: MEDIUM |
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks. WPA (Wi-Fi Protected Access) is a system that protects wireless computer networks (Wi-Fi). The IGTK group key reloading vulnerability exists in the WPA2 wireless network. WPA2 is prone to multiple security weaknesses.
Exploiting these issues may allow an unauthorized user to intercept and manipulate data or disclose sensitive information. Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).
An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.
For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.
For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.
For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.
We recommend that you upgrade your wpa packages. ==========================================================================
Ubuntu Security Notice USN-3455-1
October 16, 2017
wpa vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in wpa_supplicant.
Software Description:
- wpa: client support for WPA and WPA2
Details:
Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
handled WPA2. (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A remote attacker could use
this issue to cause a denial of service. (CVE-2016-4476)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A local attacker could use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2016-4477)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
hostapd 2.4-0ubuntu9.1
wpasupplicant 2.4-0ubuntu9.1
Ubuntu 16.04 LTS:
hostapd 2.4-0ubuntu6.2
wpasupplicant 2.4-0ubuntu6.2
Ubuntu 14.04 LTS:
hostapd 2.1-0ubuntu1.5
wpasupplicant 2.1-0ubuntu1.5
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3455-1
CVE-2016-4476, CVE-2016-4477, CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
Package Information:
https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu9.1
https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.2
https://launchpad.net/ubuntu/+source/wpa/2.1-0ubuntu1.5
.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz: Upgraded.
This update includes patches to mitigate the WPA2 protocol issues known
as "KRACK" (Key Reinstallation AttaCK), which may be used to decrypt data,
hijack TCP connections, and to forge and inject packets. This is the
list of vulnerabilities that are addressed here:
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the
4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key
handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT)
Reassociation Request and reinstalling the pairwise encryption key (PTK-TK)
while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS)
PeerKey (TPK) key in the TDLS handshake.
For more information, see:
https://www.krackattacks.com/
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/wpa_supplicant-2.6-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/wpa_supplicant-2.6-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/wpa_supplicant-2.6-i586-2.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/wpa_supplicant-2.6-x86_64-2.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
d8ecfaadb50b3547967ab53733ffc019 wpa_supplicant-2.6-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
f25216d28800504ce498705da7c9a825 wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Slackware 14.1 package:
15c61050e4bab2581757befd86be74c0 wpa_supplicant-2.6-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
49fd537a520338744f7757615556d352 wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Slackware 14.2 package:
c5539f40c8510af89be92945f0f80185 wpa_supplicant-2.6-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
4c527ff84fcdfd7839f217bbce2e4ae4 wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Slackware -current package:
28bd88a54e96368f7a7020c1f5fb67fe n/wpa_supplicant-2.6-i586-2.txz
Slackware x86_64 -current package:
464fc6b48d1ac077f47e9a3a8534c160 n/wpa_supplicant-2.6-x86_64-2.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg wpa_supplicant-2.6-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:07.wpa Security Advisory
The FreeBSD Project
Topic: WPA2 protocol vulnerability
Category: contrib
Module: wpa
Announced: 2017-10-16
Credits: Mathy Vanhoef
Affects: All supported versions of FreeBSD.
Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE)
2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2)
2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13)
2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE)
2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1)
2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22)
CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2017-10-17 Initial release.
v1.1 2017-10-19 Add patches for 10.x releases.
I.
hostapd and wpa_supplicant are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.
II. Problem Description
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
III. Impact
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
IV. Workaround
An updated version of wpa_supplicant is available in the FreeBSD Ports
Collection. Install version 2.6_2 or later of the
security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf
to use the new binary:
wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"
and restart networking.
An updated version of hostapd is available in the FreeBSD Ports
Collection. Install version 2.6_1 or later of the net/hostapd port/pkg.
Once installed, update /etc/rc.conf to use the new binary:
hostapd_program="/usr/local/sbin/hostapd"
and restart hostapd.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc
[FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc
# gpg --verify wpa-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r324697
releng/11.0/ r324698
releng/11.1/ r324699
stable/10/ r324739
releng/10.3/ r324740
releng/10.4/ r324741
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt>
<URL:https://www.krackattacks.com/>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnoGpNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
auc7WBAAm27w+fujv5sJsRxauUMopTVtRh5utwbDuoHTP+L+RCWmQfVBmueNQ0gf
uJzMNxBIkbtY9LvyukpRsH3iD7mh26c0pd9rxxkkr4F96C9B5+W0amxJF1gdm54/
F/50FpY+lo7cNs5tiBjypPrg8UOBBI/1G4XR7130XC0HjaTwt1ngZ0oQUWUMSsIp
gN5ZfPul81WPWd1NqF+vyObcJhwq/Y1uoexoO27o7GQCFZoL3enZy8c4f1xqMlVM
4HHkTgNGac6E0aW+ArH4J0DFFAOJXPqF8rdt+9XINfoBbtliIyOixJ4oh1n6eAR0
VpBWZKFNyXSlUKIvDGa+LDhxgL1jJXV0ABSyKlUOijdmr3bbbiQE9MW/MNv2AFTd
OAFQ0QQtm9KCWp5JLh+FPIb/kR2l7MOUP+yz4zFcJpdGtl9tDLyPN8vRTq60bY8O
y7tBcf/SMqkd/AIFdchL4zrOguKnRARydIlwTarp8wtAQI3MKSsa1B0wgsDtlL6K
xfdjnwWMKvKKlNOW16e1WXXO0n/ucHV4njBE+bGPro3jLgXP2/WFZpIGAR3I4xrr
SdD4AxSNiR9f3bL7LRfMIbugJAylWNSlTLWUOVUv0/ONh85LqbcCj13NI230B64K
ETx2QOZgKnCs2oDNiw4aQHb7kvi2w94Iw/R1sAPkkxYJWO3reyE=
=h/5q
-----END PGP SIGNATURE-----
| VAR-201710-0211 | CVE-2017-13078 |
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Related entries in the VARIoT exploits database: VAR-E-201710-0481 |
CVSS V2: 2.9 CVSS V3: 5.3 Severity: MEDIUM |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks. WPA (Wi-Fi Protected Access) is a system that protects wireless computer networks (Wi-Fi). The WPA2 wireless network has a GTK group key reload vulnerability in the fourth handshake. WPA2 is prone to multiple security weaknesses.
Exploiting these issues may allow an unauthorized user to intercept and manipulate data or disclose sensitive information. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: wpa_supplicant security update
Advisory ID: RHSA-2017:2907-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2907
Issue date: 2017-10-17
CVE Names: CVE-2017-13077 CVE-2017-13078 CVE-2017-13080
CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088
=====================================================================
1. Summary:
An update for wpa_supplicant is now available for Red Hat Enterprise Linux
7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
The wpa_supplicant packages contain an 802.1X Supplicant with support for
WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication
methods. They implement key negotiation with a WPA Authenticator for client
stations and controls the roaming and IEEE 802.11 authentication and
association of the WLAN driver. A remote attacker within Wi-Fi range
could exploit these attacks to decrypt Wi-Fi traffic or possibly inject
forged Wi-Fi packets by manipulating cryptographic handshakes used by the
WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Red Hat would like to thank CERT for reporting these issues. Upstream
acknowledges Mathy Vanhoef (University of Leuven) as the original reporter
of these issues. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
aarch64:
wpa_supplicant-2.6-5.el7_4.1.aarch64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.aarch64.rpm
ppc64:
wpa_supplicant-2.6-5.el7_4.1.ppc64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64.rpm
ppc64le:
wpa_supplicant-2.6-5.el7_4.1.ppc64le.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64le.rpm
s390x:
wpa_supplicant-2.6-5.el7_4.1.s390x.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.s390x.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-13077
https://access.redhat.com/security/cve/CVE-2017-13078
https://access.redhat.com/security/cve/CVE-2017-13080
https://access.redhat.com/security/cve/CVE-2017-13082
https://access.redhat.com/security/cve/CVE-2017-13086
https://access.redhat.com/security/cve/CVE-2017-13087
https://access.redhat.com/security/cve/CVE-2017-13088
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/kracks
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2017-12-12-2 AirPort Base Station Firmware Update 7.7.9
AirPort Base Station Firmware Update 7.7.9 is now available and
addresses the following:
AirPort Base Station Firmware
Available for: AirPort Extreme and AirPort Time Capsule base stations
with 802.11ac
Impact: An attacker within range may be able to execute arbitrary
code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-9417: Nitay Artenstein of Exodus Intelligence
AirPort Base Station Firmware
Available for: AirPort Extreme and AirPort Time Capsule base stations
with 802.11ac
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA
unicast/PTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state
transitions. This was addressed with improved state management.
CVE-2017-13077: Mathy Vanhoef of the imec-DistriNet group at KU
Leuven
CVE-2017-13078: Mathy Vanhoef of the imec-DistriNet group at KU
Leuven
AirPort Base Station Firmware
Available for: AirPort Extreme and AirPort Time Capsule base stations
with 802.11ac
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA
multicast/GTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state
transitions. This was addressed with improved state management.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU
Leuven
Installation note:
Firmware version 7.7.9 is installed on AirPort Extreme or
AirPort Time Capsule base stations with 802.11ac using
AirPort Utility for Mac or iOS.
AirPort Utility for Mac is a free download from
https://support.apple.com/downloads/ and AirPort Utility for iOS
is a free download from the App Store.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at
KU Leuven
Installation note:
Wi-Fi Update for Boot Camp 6.4.0 may be obtained from Apple Software
Update for Windows. Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).
An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.
For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.
For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.
For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.
We recommend that you upgrade your wpa packages. ==========================================================================
Ubuntu Security Notice USN-3455-1
October 16, 2017
wpa vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in wpa_supplicant.
Software Description:
- wpa: client support for WPA and WPA2
Details:
Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
handled WPA2. (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A remote attacker could use
this issue to cause a denial of service. (CVE-2016-4476)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A local attacker could use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2016-4477)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
hostapd 2.4-0ubuntu9.1
wpasupplicant 2.4-0ubuntu9.1
Ubuntu 16.04 LTS:
hostapd 2.4-0ubuntu6.2
wpasupplicant 2.4-0ubuntu6.2
Ubuntu 14.04 LTS:
hostapd 2.1-0ubuntu1.5
wpasupplicant 2.1-0ubuntu1.5
After a standard system update you need to reboot your computer to make
all the necessary changes. 6) - i386, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:07.wpa Security Advisory
The FreeBSD Project
Topic: WPA2 protocol vulnerability
Category: contrib
Module: wpa
Announced: 2017-10-16
Credits: Mathy Vanhoef
Affects: All supported versions of FreeBSD.
Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE)
2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2)
2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13)
2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE)
2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1)
2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22)
CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2017-10-17 Initial release.
v1.1 2017-10-19 Add patches for 10.x releases.
I.
hostapd and wpa_supplicant are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.
II. Problem Description
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
III. Impact
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
IV. Workaround
An updated version of wpa_supplicant is available in the FreeBSD Ports
Collection. Install version 2.6_2 or later of the
security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf
to use the new binary:
wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"
and restart networking.
An updated version of hostapd is available in the FreeBSD Ports
Collection. Install version 2.6_1 or later of the net/hostapd port/pkg.
Once installed, update /etc/rc.conf to use the new binary:
hostapd_program="/usr/local/sbin/hostapd"
and restart hostapd.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc
[FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc
# gpg --verify wpa-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r324697
releng/11.0/ r324698
releng/11.1/ r324699
stable/10/ r324739
releng/10.3/ r324740
releng/10.4/ r324741
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt>
<URL:https://www.krackattacks.com/>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnoGpNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
auc7WBAAm27w+fujv5sJsRxauUMopTVtRh5utwbDuoHTP+L+RCWmQfVBmueNQ0gf
uJzMNxBIkbtY9LvyukpRsH3iD7mh26c0pd9rxxkkr4F96C9B5+W0amxJF1gdm54/
F/50FpY+lo7cNs5tiBjypPrg8UOBBI/1G4XR7130XC0HjaTwt1ngZ0oQUWUMSsIp
gN5ZfPul81WPWd1NqF+vyObcJhwq/Y1uoexoO27o7GQCFZoL3enZy8c4f1xqMlVM
4HHkTgNGac6E0aW+ArH4J0DFFAOJXPqF8rdt+9XINfoBbtliIyOixJ4oh1n6eAR0
VpBWZKFNyXSlUKIvDGa+LDhxgL1jJXV0ABSyKlUOijdmr3bbbiQE9MW/MNv2AFTd
OAFQ0QQtm9KCWp5JLh+FPIb/kR2l7MOUP+yz4zFcJpdGtl9tDLyPN8vRTq60bY8O
y7tBcf/SMqkd/AIFdchL4zrOguKnRARydIlwTarp8wtAQI3MKSsa1B0wgsDtlL6K
xfdjnwWMKvKKlNOW16e1WXXO0n/ucHV4njBE+bGPro3jLgXP2/WFZpIGAR3I4xrr
SdD4AxSNiR9f3bL7LRfMIbugJAylWNSlTLWUOVUv0/ONh85LqbcCj13NI230B64K
ETx2QOZgKnCs2oDNiw4aQHb7kvi2w94Iw/R1sAPkkxYJWO3reyE=
=h/5q
-----END PGP SIGNATURE-----
.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz: Upgraded.
This update includes patches to mitigate the WPA2 protocol issues known
as "KRACK" (Key Reinstallation AttaCK), which may be used to decrypt data,
hijack TCP connections, and to forge and inject packets.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT)
Reassociation Request and reinstalling the pairwise encryption key (PTK-TK)
while processing it.
For more information, see:
https://www.krackattacks.com/
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/wpa_supplicant-2.6-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/wpa_supplicant-2.6-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/wpa_supplicant-2.6-i586-2.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/wpa_supplicant-2.6-x86_64-2.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
d8ecfaadb50b3547967ab53733ffc019 wpa_supplicant-2.6-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
f25216d28800504ce498705da7c9a825 wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Slackware 14.1 package:
15c61050e4bab2581757befd86be74c0 wpa_supplicant-2.6-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
49fd537a520338744f7757615556d352 wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Slackware 14.2 package:
c5539f40c8510af89be92945f0f80185 wpa_supplicant-2.6-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
4c527ff84fcdfd7839f217bbce2e4ae4 wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Slackware -current package:
28bd88a54e96368f7a7020c1f5fb67fe n/wpa_supplicant-2.6-i586-2.txz
Slackware x86_64 -current package:
464fc6b48d1ac077f47e9a3a8534c160 n/wpa_supplicant-2.6-x86_64-2.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg wpa_supplicant-2.6-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address
| VAR-201710-0206 | CVE-2017-13077 |
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Related entries in the VARIoT exploits database: VAR-E-201710-0481 |
CVSS V2: 5.4 CVSS V3: 6.8 Severity: MEDIUM |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks. WPA (Wi-Fi Protected Access) is a system that protects wireless computer networks (Wi-Fi). The WPA2 wireless network has a PTK-TK key reload vulnerability in the fourth handshake. WPA2 is prone to multiple security weaknesses.
Exploiting these issues may allow an unauthorized user to intercept and manipulate data or disclose sensitive information. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: wpa_supplicant security update
Advisory ID: RHSA-2017:2907-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2907
Issue date: 2017-10-17
CVE Names: CVE-2017-13077 CVE-2017-13078 CVE-2017-13080
CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088
=====================================================================
1. Summary:
An update for wpa_supplicant is now available for Red Hat Enterprise Linux
7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
The wpa_supplicant packages contain an 802.1X Supplicant with support for
WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication
methods. They implement key negotiation with a WPA Authenticator for client
stations and controls the roaming and IEEE 802.11 authentication and
association of the WLAN driver. A remote attacker within Wi-Fi range
could exploit these attacks to decrypt Wi-Fi traffic or possibly inject
forged Wi-Fi packets by manipulating cryptographic handshakes used by the
WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Red Hat would like to thank CERT for reporting these issues. Upstream
acknowledges Mathy Vanhoef (University of Leuven) as the original reporter
of these issues. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1491692 - CVE-2017-13077 wpa_supplicant: Reinstallation of the pairwise key in the 4-way handshake
1491693 - CVE-2017-13078 wpa_supplicant: Reinstallation of the group key in the 4-way handshake
1491696 - CVE-2017-13080 wpa_supplicant: Reinstallation of the group key in the group key handshake
1491698 - CVE-2017-13082 wpa_supplicant: Accepting a retransmitted FT Reassociation Request and reinstalling the pairwise key while processing it
1500302 - CVE-2017-13086 wpa_supplicant: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
1500303 - CVE-2017-13087 wpa_supplicant: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
1500304 - CVE-2017-13088 wpa_supplicant: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
aarch64:
wpa_supplicant-2.6-5.el7_4.1.aarch64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.aarch64.rpm
ppc64:
wpa_supplicant-2.6-5.el7_4.1.ppc64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64.rpm
ppc64le:
wpa_supplicant-2.6-5.el7_4.1.ppc64le.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.ppc64le.rpm
s390x:
wpa_supplicant-2.6-5.el7_4.1.s390x.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.s390x.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
wpa_supplicant-2.6-5.el7_4.1.src.rpm
x86_64:
wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm
wpa_supplicant-debuginfo-2.6-5.el7_4.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-13077
https://access.redhat.com/security/cve/CVE-2017-13078
https://access.redhat.com/security/cve/CVE-2017-13080
https://access.redhat.com/security/cve/CVE-2017-13082
https://access.redhat.com/security/cve/CVE-2017-13086
https://access.redhat.com/security/cve/CVE-2017-13087
https://access.redhat.com/security/cve/CVE-2017-13088
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/kracks
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2017-12-12-2 AirPort Base Station Firmware Update 7.7.9
AirPort Base Station Firmware Update 7.7.9 is now available and
addresses the following:
AirPort Base Station Firmware
Available for: AirPort Extreme and AirPort Time Capsule base stations
with 802.11ac
Impact: An attacker within range may be able to execute arbitrary
code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-9417: Nitay Artenstein of Exodus Intelligence
AirPort Base Station Firmware
Available for: AirPort Extreme and AirPort Time Capsule base stations
with 802.11ac
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA
unicast/PTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state
transitions. This was addressed with improved state management.
CVE-2017-13077: Mathy Vanhoef of the imec-DistriNet group at KU
Leuven
CVE-2017-13078: Mathy Vanhoef of the imec-DistriNet group at KU
Leuven
AirPort Base Station Firmware
Available for: AirPort Extreme and AirPort Time Capsule base stations
with 802.11ac
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA
multicast/GTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state
transitions. This was addressed with improved state management.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU
Leuven
Installation note:
Firmware version 7.7.9 is installed on AirPort Extreme or
AirPort Time Capsule base stations with 802.11ac using
AirPort Utility for Mac or iOS.
AirPort Utility for Mac is a free download from
https://support.apple.com/downloads/ and AirPort Utility for iOS
is a free download from the App Store.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at
KU Leuven
Installation note:
Wi-Fi Update for Boot Camp 6.4.0 may be obtained from Apple Software
Update for Windows. ==========================================================================
Ubuntu Security Notice USN-3455-1
October 16, 2017
wpa vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in wpa_supplicant.
Software Description:
- wpa: client support for WPA and WPA2
Details:
Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
handled WPA2. (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A remote attacker could use
this issue to cause a denial of service. (CVE-2016-4476)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A local attacker could use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2016-4477)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
hostapd 2.4-0ubuntu9.1
wpasupplicant 2.4-0ubuntu9.1
Ubuntu 16.04 LTS:
hostapd 2.4-0ubuntu6.2
wpasupplicant 2.4-0ubuntu6.2
Ubuntu 14.04 LTS:
hostapd 2.1-0ubuntu1.5
wpasupplicant 2.1-0ubuntu1.5
After a standard system update you need to reboot your computer to make
all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201711-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: hostapd and wpa_supplicant: Key Reinstallation (KRACK)
attacks
Date: November 10, 2017
Bugs: #634436, #634438
ID: 201711-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A flaw was discovered in the 4-way handshake in hostapd and
wpa_supplicant that allows attackers to conduct a Man in the Middle
attack.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-wireless/hostapd < 2.6-r1 >= 2.6-r1
2 net-wireless/wpa_supplicant
< 2.6-r3 >= 2.6-r3
-------------------------------------------------------------------
2 affected packages
Description
===========
WiFi Protected Access (WPA and WPA2) and it's associated technologies
are all vulnerable to the KRACK attacks. Please review the referenced
CVE identifiers for details.
Impact
======
An attacker can carry out the KRACK attacks on a wireless network in
order to gain access to network clients. Once achieved, the attacker
can potentially harvest confidential information (e.g. HTTP/HTTPS),
inject malware, or perform a myriad of other attacks.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All hostapd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-wireless/hostapd-2.6-r1"
All wpa_supplicant users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=net-wireless/wpa_supplicant-2.6-r3"
References
==========
[ 1 ] CVE-2017-13077
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13077
[ 2 ] CVE-2017-13078
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13078
[ 3 ] CVE-2017-13079
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13079
[ 4 ] CVE-2017-13080
. 6) - i386, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:07.wpa Security Advisory
The FreeBSD Project
Topic: WPA2 protocol vulnerability
Category: contrib
Module: wpa
Announced: 2017-10-16
Credits: Mathy Vanhoef
Affects: All supported versions of FreeBSD.
Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE)
2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2)
2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13)
2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE)
2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1)
2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22)
CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2017-10-17 Initial release.
v1.1 2017-10-19 Add patches for 10.x releases.
I.
hostapd and wpa_supplicant are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.
II. Problem Description
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
III. Impact
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
IV. Workaround
An updated version of wpa_supplicant is available in the FreeBSD Ports
Collection. Install version 2.6_2 or later of the
security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf
to use the new binary:
wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"
and restart networking.
An updated version of hostapd is available in the FreeBSD Ports
Collection. Install version 2.6_1 or later of the net/hostapd port/pkg.
Once installed, update /etc/rc.conf to use the new binary:
hostapd_program="/usr/local/sbin/hostapd"
and restart hostapd.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc
[FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc
# gpg --verify wpa-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r324697
releng/11.0/ r324698
releng/11.1/ r324699
stable/10/ r324739
releng/10.3/ r324740
releng/10.4/ r324741
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt>
<URL:https://www.krackattacks.com/>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnoGpNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
auc7WBAAm27w+fujv5sJsRxauUMopTVtRh5utwbDuoHTP+L+RCWmQfVBmueNQ0gf
uJzMNxBIkbtY9LvyukpRsH3iD7mh26c0pd9rxxkkr4F96C9B5+W0amxJF1gdm54/
F/50FpY+lo7cNs5tiBjypPrg8UOBBI/1G4XR7130XC0HjaTwt1ngZ0oQUWUMSsIp
gN5ZfPul81WPWd1NqF+vyObcJhwq/Y1uoexoO27o7GQCFZoL3enZy8c4f1xqMlVM
4HHkTgNGac6E0aW+ArH4J0DFFAOJXPqF8rdt+9XINfoBbtliIyOixJ4oh1n6eAR0
VpBWZKFNyXSlUKIvDGa+LDhxgL1jJXV0ABSyKlUOijdmr3bbbiQE9MW/MNv2AFTd
OAFQ0QQtm9KCWp5JLh+FPIb/kR2l7MOUP+yz4zFcJpdGtl9tDLyPN8vRTq60bY8O
y7tBcf/SMqkd/AIFdchL4zrOguKnRARydIlwTarp8wtAQI3MKSsa1B0wgsDtlL6K
xfdjnwWMKvKKlNOW16e1WXXO0n/ucHV4njBE+bGPro3jLgXP2/WFZpIGAR3I4xrr
SdD4AxSNiR9f3bL7LRfMIbugJAylWNSlTLWUOVUv0/ONh85LqbcCj13NI230B64K
ETx2QOZgKnCs2oDNiw4aQHb7kvi2w94Iw/R1sAPkkxYJWO3reyE=
=h/5q
-----END PGP SIGNATURE-----
.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz: Upgraded.
This update includes patches to mitigate the WPA2 protocol issues known
as "KRACK" (Key Reinstallation AttaCK), which may be used to decrypt data,
hijack TCP connections, and to forge and inject packets.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT)
Reassociation Request and reinstalling the pairwise encryption key (PTK-TK)
while processing it.
For more information, see:
https://www.krackattacks.com/
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/wpa_supplicant-2.6-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/wpa_supplicant-2.6-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/wpa_supplicant-2.6-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/wpa_supplicant-2.6-i586-2.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/wpa_supplicant-2.6-x86_64-2.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
d8ecfaadb50b3547967ab53733ffc019 wpa_supplicant-2.6-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
f25216d28800504ce498705da7c9a825 wpa_supplicant-2.6-x86_64-1_slack14.0.txz
Slackware 14.1 package:
15c61050e4bab2581757befd86be74c0 wpa_supplicant-2.6-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
49fd537a520338744f7757615556d352 wpa_supplicant-2.6-x86_64-1_slack14.1.txz
Slackware 14.2 package:
c5539f40c8510af89be92945f0f80185 wpa_supplicant-2.6-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
4c527ff84fcdfd7839f217bbce2e4ae4 wpa_supplicant-2.6-x86_64-1_slack14.2.txz
Slackware -current package:
28bd88a54e96368f7a7020c1f5fb67fe n/wpa_supplicant-2.6-i586-2.txz
Slackware x86_64 -current package:
464fc6b48d1ac077f47e9a3a8534c160 n/wpa_supplicant-2.6-x86_64-2.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg wpa_supplicant-2.6-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address
| VAR-201710-0207 | CVE-2017-13080 |
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
Related entries in the VARIoT exploits database: VAR-E-201710-0481 |
CVSS V2: 2.9 CVSS V3: 5.3 Severity: MEDIUM |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames. These vulnerabilities are referred to as Key Reinstallation Attacks or "KRACK" attacks. WPA (Wi-Fi Protected Access) is a system that protects wireless computer networks (Wi-Fi). The GTK group key reloading vulnerability exists in the WPA2 wireless network. WPA2 is prone to multiple security weaknesses.
Exploiting these issues may allow an unauthorized user to intercept and manipulate data or disclose sensitive information. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2017-12-6-3 watchOS 4.2
watchOS 4.2 addresses the following:
IOSurface
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-13861: Ian Beer of Google Project Zero
Kernel
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-13862: Apple
CVE-2017-13876: Ian Beer of Google Project Zero
Kernel
Available for: All Apple Watch models
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2017-13833: Brandon Azad
Kernel
Available for: All Apple Watch models
Impact: An application may be able to read restricted memory
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2017-13855: Jann Horn of Google Project Zero
Kernel
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-13867: Ian Beer of Google Project Zero
Kernel
Available for: All Apple Watch models
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-13865: Ian Beer of Google Project Zero
CVE-2017-13868: Brandon Azad
CVE-2017-13869: Jann Horn of Google Project Zero
Wi-Fi
Available for: Apple Watch (1st Generation) and Apple Watch Series 3
Released for Apple Watch Series 1 and Apple Watch Series 2 in
watchOS 4.1. This was addressed with improved state management.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU
Leuven
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About". Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).
An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.
For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.
For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.
For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.
We recommend that you upgrade your wpa packages.
CVE-2017-13804: @qwertyoruiopz at KJC Research Intl. S.R.L. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: wpa_supplicant security update
Advisory ID: RHSA-2017:2911-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2911
Issue date: 2017-10-18
CVE Names: CVE-2017-13077 CVE-2017-13078 CVE-2017-13080
CVE-2017-13087
=====================================================================
1. Summary:
An update for wpa_supplicant is now available for Red Hat Enterprise Linux
6.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
3. Description:
The wpa_supplicant packages contain an 802.1X Supplicant with support for
WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication
methods. They implement key negotiation with a WPA Authenticator for client
stations and controls the roaming and IEEE 802.11 authentication and
association of the WLAN driver. A remote attacker within Wi-Fi range
could exploit these attacks to decrypt Wi-Fi traffic or possibly inject
forged Wi-Fi packets by manipulating cryptographic handshakes used by the
WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080,
CVE-2017-13087)
Red Hat would like to thank CERT for reporting these issues. Upstream
acknowledges Mathy Vanhoef (University of Leuven) as the original reporter
of these issues. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
wpa_supplicant-0.7.3-9.el6_9.2.src.rpm
i386:
wpa_supplicant-0.7.3-9.el6_9.2.i686.rpm
wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.i686.rpm
x86_64:
wpa_supplicant-0.7.3-9.el6_9.2.x86_64.rpm
wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
wpa_supplicant-0.7.3-9.el6_9.2.src.rpm
x86_64:
wpa_supplicant-0.7.3-9.el6_9.2.x86_64.rpm
wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
wpa_supplicant-0.7.3-9.el6_9.2.src.rpm
i386:
wpa_supplicant-0.7.3-9.el6_9.2.i686.rpm
wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.i686.rpm
ppc64:
wpa_supplicant-0.7.3-9.el6_9.2.ppc64.rpm
wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.ppc64.rpm
s390x:
wpa_supplicant-0.7.3-9.el6_9.2.s390x.rpm
wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.s390x.rpm
x86_64:
wpa_supplicant-0.7.3-9.el6_9.2.x86_64.rpm
wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
wpa_supplicant-0.7.3-9.el6_9.2.src.rpm
i386:
wpa_supplicant-0.7.3-9.el6_9.2.i686.rpm
wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.i686.rpm
x86_64:
wpa_supplicant-0.7.3-9.el6_9.2.x86_64.rpm
wpa_supplicant-debuginfo-0.7.3-9.el6_9.2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-13077
https://access.redhat.com/security/cve/CVE-2017-13078
https://access.redhat.com/security/cve/CVE-2017-13080
https://access.redhat.com/security/cve/CVE-2017-13087
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/kracks
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:07.wpa Security Advisory
The FreeBSD Project
Topic: WPA2 protocol vulnerability
Category: contrib
Module: wpa
Announced: 2017-10-16
Credits: Mathy Vanhoef
Affects: All supported versions of FreeBSD.
Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE)
2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2)
2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13)
2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE)
2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1)
2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22)
CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2017-10-17 Initial release.
v1.1 2017-10-19 Add patches for 10.x releases.
I.
hostapd and wpa_supplicant are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.
II. Problem Description
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
III. Impact
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
IV. Workaround
An updated version of wpa_supplicant is available in the FreeBSD Ports
Collection. Install version 2.6_2 or later of the
security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf
to use the new binary:
wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"
and restart networking.
An updated version of hostapd is available in the FreeBSD Ports
Collection. Install version 2.6_1 or later of the net/hostapd port/pkg.
Once installed, update /etc/rc.conf to use the new binary:
hostapd_program="/usr/local/sbin/hostapd"
and restart hostapd.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc
[FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc
# gpg --verify wpa-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r324697
releng/11.0/ r324698
releng/11.1/ r324699
stable/10/ r324739
releng/10.3/ r324740
releng/10.4/ r324741
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt>
<URL:https://www.krackattacks.com/>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlnoGpNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
auc7WBAAm27w+fujv5sJsRxauUMopTVtRh5utwbDuoHTP+L+RCWmQfVBmueNQ0gf
uJzMNxBIkbtY9LvyukpRsH3iD7mh26c0pd9rxxkkr4F96C9B5+W0amxJF1gdm54/
F/50FpY+lo7cNs5tiBjypPrg8UOBBI/1G4XR7130XC0HjaTwt1ngZ0oQUWUMSsIp
gN5ZfPul81WPWd1NqF+vyObcJhwq/Y1uoexoO27o7GQCFZoL3enZy8c4f1xqMlVM
4HHkTgNGac6E0aW+ArH4J0DFFAOJXPqF8rdt+9XINfoBbtliIyOixJ4oh1n6eAR0
VpBWZKFNyXSlUKIvDGa+LDhxgL1jJXV0ABSyKlUOijdmr3bbbiQE9MW/MNv2AFTd
OAFQ0QQtm9KCWp5JLh+FPIb/kR2l7MOUP+yz4zFcJpdGtl9tDLyPN8vRTq60bY8O
y7tBcf/SMqkd/AIFdchL4zrOguKnRARydIlwTarp8wtAQI3MKSsa1B0wgsDtlL6K
xfdjnwWMKvKKlNOW16e1WXXO0n/ucHV4njBE+bGPro3jLgXP2/WFZpIGAR3I4xrr
SdD4AxSNiR9f3bL7LRfMIbugJAylWNSlTLWUOVUv0/ONh85LqbcCj13NI230B64K
ETx2QOZgKnCs2oDNiw4aQHb7kvi2w94Iw/R1sAPkkxYJWO3reyE=
=h/5q
-----END PGP SIGNATURE-----
. ==========================================================================
Ubuntu Security Notice USN-3455-1
October 16, 2017
wpa vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in wpa_supplicant.
Software Description:
- wpa: client support for WPA and WPA2
Details:
Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
handled WPA2. (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A remote attacker could use
this issue to cause a denial of service. (CVE-2016-4476)
Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A local attacker could use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2016-4477)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
hostapd 2.4-0ubuntu9.1
wpasupplicant 2.4-0ubuntu9.1
Ubuntu 16.04 LTS:
hostapd 2.4-0ubuntu6.2
wpasupplicant 2.4-0ubuntu6.2
Ubuntu 14.04 LTS:
hostapd 2.1-0ubuntu1.5
wpasupplicant 2.1-0ubuntu1.5
After a standard system update you need to reboot your computer to make
all the necessary changes
| VAR-201710-0667 | CVE-2017-15360 | PRTG Network Monitor Vulnerable to cross-site scripting |
CVSS V2: 3.5 CVSS V3: 5.4 Severity: MEDIUM |
PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cross-Site Scripting on all group names created, related to incorrect error handling for an HTML encoded script. PRTG Network Monitor Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. PaesslerPRTGNetworkMonitor is a network monitoring software from Paessler, Germany. The software provides usage monitoring, packet sniffing, in-depth analysis, and concise reporting. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML
| VAR-201710-1295 | CVE-2017-15304 | AIRTAME HDMI Dongle firmware vulnerable to session fixation |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
/bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a "Cookie: PHPSESSID=" header. This can be used to achieve persistent access to the admin panel even after an admin password change. AIRTAME HDMI Dongle firmware contains a session fixation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AIRTAMEHDMIdongle is a wireless access point product for connecting, sharing and split-screen TVs or monitors. There is a security vulnerability in the /bin/login.php file of WebPanel in AirtameHDMIdongle with firmware version 3.0
| VAR-201710-1337 | CVE-2017-7335 | Fortinet FortiWLC Vulnerable to cross-site scripting |
CVSS V2: 3.5 CVSS V3: 5.4 Severity: MEDIUM |
A Cross-Site Scripting (XSS) vulnerability in Fortinet FortiWLC 6.1-x (6.1-2, 6.1-4 and 6.1-5); 7.0-x (7.0-7, 7.0-8, 7.0-9, 7.0-10); and 8.x (8.0, 8.1, 8.2 and 8.3.0-8.3.2) allows an authenticated user to inject arbitrary web script or HTML via non-sanitized parameters "refresh" and "branchtotable" present in HTTP POST requests. Fortinet FortiWLC Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. FortinetFortiWLC is a network management device. Fortinet FortiWLC is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The following versions are vulnerable:
FortiWLC 6.1-2, 6.1-4 and 6.1-5
FortiWLC 7.0-7, 7.0-8, 7.0-9, 7.0-10
FortiWLC 8.0, 8.1, 8.2 and 8.3.0 through 8.3.2. Fortinet FortiWLC is a wireless LAN controller from Fortinet. The following versions are affected: Fortinet FortiWLC Version 6.1-2, Version 6.1-4, Version 6.1-5, Version 7.0-7, Version 7.0-8, Version 7.0-9, Version 7.0-10, Version 8.0, Version 8.1, Version 8.2 , version 8.3.0-8.3.2
| VAR-201710-0241 | CVE-2017-10608 | Juniper Networks Junos OS Vulnerable to resource exhaustion |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Any Juniper Networks SRX series device with one or more ALGs enabled may experience a flowd crash when traffic is processed by the Sun/MS-RPC ALGs. This vulnerability in the Sun/MS-RPC ALG services component of Junos OS allows an attacker to cause a repeated denial of service against the target. Repeated traffic in a cluster may cause repeated flip-flop failure operations or full failure to the flowd daemon halting traffic on all nodes. Only IPv6 traffic is affected by this issue. IPv4 traffic is unaffected. This issues is not seen with to-host traffic. This issue has no relation with HA services themselves, only the ALG service. No other Juniper Networks products or platforms are affected by this issue. Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D55 on SRX; 12.1X47 prior to 12.1X47-D45 on SRX; 12.3X48 prior to 12.3X48-D32, 12.3X48-D35 on SRX; 15.1X49 prior to 15.1X49-D60 on SRX. Juniper Networks Junos OS Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. JunosOS is a set of operating systems running on it. Sun/MS-RPCALGservicescomponent is one of the Sun/MS-RPCALG service components. A security vulnerability exists in the Sun/MS-RPCALG service component of JunosOS in the Juniper SRX family of devices
| VAR-201710-0800 | CVE-2017-14007 |
ProMinent MultiFLEX M10a Controller of Web Session expiration vulnerability in the interface
Related entries in the VARIoT exploits database: VAR-E-201710-0369 |
CVSS V2: 6.8 CVSS V3: 5.6 Severity: MEDIUM |
An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization. The MultiFLEX M10a Controller is a water treatment controller. MultiFLEX M10a Controller is prone to the following multiple security vulnerabilities:
1. Multiple security-bypass vulnerabilities
2. An information-disclosure vulnerability
3. A cross-site request-forgery vulnerability
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gaining unauthorized access to the affected device and obtaining sensitive information; other attacks are also possible. Web interface is one of the web management interfaces
| VAR-201710-1284 | CVE-2017-15291 |
TP-LINK TL-MR3220 Cross-site scripting vulnerability in wireless router
Related entries in the VARIoT exploits database: VAR-E-201710-0022 |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the Wireless MAC Filtering page in TP-LINK TL-MR3220 wireless routers allows remote attackers to inject arbitrary web script or HTML via the Description field. TP-LINK TL-MR3220 Wireless routers contain a cross-site scripting vulnerability.Information may be obtained and information may be altered. TP-LINKTL-MR3220wirelessrouters is a wireless router product from China Unicom (TP-LINK)
| VAR-201710-0799 | CVE-2017-14005 |
ProMinent MultiFLEX M10a Controller Password change vulnerability
Related entries in the VARIoT exploits database: VAR-E-201710-0369 |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
An Unverified Password Change issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When setting a new password for a user, the application does not require the user to know the original password. An attacker who is authenticated could change a user's password, enabling future access and possible configuration changes. The MultiFLEX M10a Controller is a water treatment controller. MultiFLEX M10a Controller is prone to the following multiple security vulnerabilities:
1. Multiple security-bypass vulnerabilities
2. An information-disclosure vulnerability
3. A cross-site request-forgery vulnerability
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gaining unauthorized access to the affected device and obtaining sensitive information; other attacks are also possible. Web interface is one of the web management interfaces
| VAR-201710-0801 | CVE-2017-14009 |
ProMinent MultiFLEX M10a Controller of Web Information disclosure vulnerability in the interface
Related entries in the VARIoT exploits database: VAR-E-201710-0369 |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: MEDIUM |
An Information Exposure issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When an authenticated user uses the Change Password feature on the application, the current password for the user is specified in plaintext. This may allow an attacker who has been authenticated to gain access to the password. The MultiFLEX M10a Controller is a water treatment controller. MultiFLEX M10a Controller is prone to the following multiple security vulnerabilities:
1. Multiple security-bypass vulnerabilities
2. An information-disclosure vulnerability
3. A cross-site request-forgery vulnerability
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gaining unauthorized access to the affected device and obtaining sensitive information; other attacks are also possible. Web interface is one of the web management interfaces
| VAR-201710-0802 | CVE-2017-14011 |
ProMinent MultiFLEX M10a Controller Cross-Site Request Forgery Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201710-0369 |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
A Cross-Site Request Forgery issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The application does not sufficiently verify requests, making it susceptible to cross-site request forgery. This may allow an attacker to execute unauthorized code, resulting in changes to the configuration of the device. The MultiFLEX M10a Controller is a water treatment controller. MultiFLEX M10a Controller is prone to the following multiple security vulnerabilities:
1. Multiple security-bypass vulnerabilities
2. An information-disclosure vulnerability
3. A cross-site request-forgery vulnerability
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gaining unauthorized access to the affected device and obtaining sensitive information; other attacks are also possible. Web interface is one of the web management interfaces