PSIRT Advisory

Key Reinstallation Attacks: Cryptographic/protocol attack against WPA2

Summary

Several vulnerabilities affect the Wi-Fi Protected Access II (WPA2) protocol, potentially enabling Man-in-the-Middle (MitM) attacks between Wifi Clients and Access Points running WPA2 . The impact includes decryption, packet replay, TCP connection hijacking and HTTP content injection.

The related CVEs are:
1. CVE-2017-13077: reinstallation of the pairwise key in the 4-way handshake
2. CVE-2017-13078: reinstallation of the group key in the 4-way handshake
3. CVE-2017-13079: reinstallation of the integrity group key in the 4-way handshake
4. CVE-2017-13080: reinstallation of the group key in the group key handshake
5. CVE-2017-13081: reinstallation of the integrity group key in the group key handshake
6. CVE-2017-13082: accepting a retransmitted FT Reassociation Request and reinstalling the pairwise key while processing it
7. CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
8. CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
9. CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
10. CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

Impact

Man-in-the-Middle attacks

Affected Products

1. FortiGate:

Those issues may only affect FortiGate Wifi models used under Wifi Client mode. Specifically:

* FortiGates are not affected by CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088

* All other CVEs (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081) affect FortiGates running the following versions:

** Branch 5.6: FortiOS 5.6.2 and below

** Branch 5.4: FortiOS 5.4.5 and below

** Branch 5.2: FortiOS 5.2.11 and below

** Previous branches: All versions

2. FortiAP:

Those issues may only affect FortiAP working as a mesh leaf. Specifically:

* FortiAP is not affected by CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088

* All other CVEs (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081) affect FortiAP running the following firmware versions:

** Branch 5.6: FortiAP 5.6.0

** Branch 5.4: FortiAP 5.4.3 and below

** Branch 5.2: FortiAP 5.2.6 and below

** Previous branches: All versions

3. Meru AP:

Meru AP is affected when working in Mesh mode or when Service assurance module (SAM) is enabled or when 801.11r is enabled. Specifically:

* Meru AP is not affected by CVE-2017-13081, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088

* Meru AP is affected by CVE-2017-13082 when 802.11r is enabled and only with 11ac/wave2 APs. The affected versions are:

** Branch 8.3: Meru AP 8.3.3 and below

** Branch 8.2: Meru AP 8.2.7 and below

** Branch 8.0: All versions

* Meru AP is affected by CVE-2017-13077, CVE-2017-13078, CVE-2017-13079 and CVE-2017-13080 when under WPA2 security profile with the AP in client mode (under Mesh mode or when SAM enabled). The affected versions are:

** Branch 8.3: Meru AP 8.3.3 and below

** Branch 8.2: Meru AP 8.2.7 and below

** Branch 8.0: All versions

** Branch 7.0: Meru AP 7.0.11 and below

** Previous branches: All versions

4. FortiWLC:

FortiWLC is affected when working in Mesh mode or when Service assurance module (SAM) is enabled or when 801.11r is enabled. Specifically:

* FortiWLC is not affected by CVE-2017-13081, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088

* FortiWLC is affected by CVE-2017-13082 when 802.11r is enabled and only with 11ac/wave2 APs. The affected versions are:

** Branch 8.3: FortiWLC 8.3.3 and below

** Branch 8.2: FortiWLC 8.2.7 and below

** Branch 8.0: All versions

* FortiWLC is affected by CVE-2017-13077, CVE-2017-13078, CVE-2017-13079 and CVE-2017-13080 when under WPA2 security profile with the AP in client mode (under Mesh mode or when SAM enabled). The affected versions are:

** Branch 8.3: FortiWLC 8.3.3 and below

** Branch 8.2: FortiWLC 8.2.7 and below

** Branch 8.0: All versions

** Branch 7.0: FortiWLC 7.0.11 and below

** Previous branches: All versions

Solutions

For FortiGate Wifi models used under Wifi Client mode:

Upgrade to 5.2.12, 5.4.6, 5.6.2 special build[*] or upcoming FortiOS 5.6.3

For FortiAP used as a mesh leaf:

Upgrade to FortiAP 5.6.1, 5.4.4 or upcoming FortiAP 5.2.7

For Meru AP:

Apply special patches[*] to already released 8.3.3, 8.2.7 or 7.0.11

For FortiWLC:

Apply special patches[*] to already released 8.3.3, 8.2.7 or 7.0.11

[*] Reach out to your local TAC to request the special build and patches