PSIRT Advisory

Key Reinstallation Attacks: Cryptographic/protocol attack against WPA2

Summary

Several vulnerabilities affect the Wi-Fi Protected Access II (WPA2) protocol, potentially enabling Man-in-the-Middle (MitM) attacks between Wifi Clients and Access Points running WPA2 . The impact  includes decryption, packet replay, TCP connection hijacking and HTTP content injection.

The related CVEs are:
1. CVE-2017-13077: reinstallation of the pairwise key in the 4-way handshake
2. CVE-2017-13078: reinstallation of the group key in the 4-way handshake
3. CVE-2017-13079: reinstallation of the integrity group key in the 4-way handshake
4. CVE-2017-13080: reinstallation of the group key in the group key handshake
5. CVE-2017-13081: reinstallation of the integrity group key in the group key handshake
6. CVE-2017-13082: accepting a retransmitted FT Reassociation Request and reinstalling the pairwise key while processing it
7. CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
8. CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
9. CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
10. CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

Impact

Man-in-the-Middle attacks

Affected Products

Solutions

For FortiGate Wifi models used under Wifi Client mode:

Upgrade to 5.2.12, 5.4.6 or 5.6.3 [**]

For FortiAP used as a mesh leaf:

Upgrade to FortiAP 5.2.7, 5.4.4 or 5.6.1 [**]

For Meru AP:

Apply special patches[*] to already released 8.3.3, 8.2.7 or 7.0.11

For FortiWLC:

Apply special patches[*] to already released 8.3.3, 8.2.7 or 7.0.11

[*] Reach out to your local TAC to request the special build and patches
[**] for the additional CVE-2017-13077 fix, refer to the UPDATE  below

UPDATE: Accumulate fix for CVE-2017-13077:

To pass Wi-Fi Alliance Security Detection 2017 Test Plan Version 1.1, test case 4.1.5, the following product need to be specially upgraded to the following versions:

FortiOS 5.2 branch: upgrade to upcoming 5.2.14
FortiOS 5.4 branch: upgrade to FortiOS 5.4.9
FortiAP 5.6 branch:  upgrade to FortiAP 5.6.2

UPDATE: AP side patch to prevent WPA2 KRACK attacks against vulnerable Wifi clients:

Fortinet is providing Access Point side protection to prevent WPA2 KRACK attacks against vulnerable Wifi Clients (regardless their brand or make), with the following released or upcoming product and versions:

FortiOS: From upcoming FortiOS 6.0.0
FortiAP: From FortiAP 5.6.2 and 5.4.4
Meru AP: From upcoming Meru AP 8.5.0
FortiWLC: From upcoming FortiWLC 8.4.0

When connected to the products and versions above, even third party Wifi Clients that are theoretically vulnerable to WPA2 KRACK attacks will actually become "not impacted", due to the protection provided by the Access Point.

Update History:
10-16-2017 Initial version
01-19-2018 Update accumulate fix info for CVE-2017-13077
01-19-2018 AP side patch to prevent WPA2 KRACK attacks against vulnerable Wifi clients

References

• https://www.krackattacks.com/