PSIRT Advisory
Key Reinstallation Attacks: Cryptographic/protocol attack against WPA2
Summary
Several vulnerabilities affect the Wi-Fi Protected Access II (WPA2) protocol, potentially enabling Man-in-the-Middle (MitM) attacks between Wifi Clients and Access Points running WPA2 . The impact includes decryption, packet replay, TCP connection hijacking and HTTP content injection.
The related CVEs are:
1. CVE-2017-13077: reinstallation of the pairwise key in the 4-way handshake
2. CVE-2017-13078: reinstallation of the group key in the 4-way handshake
3. CVE-2017-13079: reinstallation of the integrity group key in the 4-way handshake
4. CVE-2017-13080: reinstallation of the group key in the group key handshake
5. CVE-2017-13081: reinstallation of the integrity group key in the group key handshake
6. CVE-2017-13082: accepting a retransmitted FT Reassociation Request and reinstalling the pairwise key while processing it
7. CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
8. CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
9. CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
10. CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Impact
Man-in-the-Middle attacks
Affected Products
** Branch 5.4: FortiOS 5.4.8 and below
** Branch 5.2: FortiOS 5.2.11 and below
** Previous branches: All versions
** Branch 5.4: FortiAP 5.4.3 and below
** Branch 5.2: FortiAP 5.2.6 and below
** Previous branches: All versions
** Branch 8.2: Meru AP 8.2.7 and below
** Branch 8.0: All versions
** Branch 8.2: Meru AP 8.2.7 and below
** Branch 8.0: All versions
** Branch 7.0: Meru AP 7.0.11 and below
** Previous branches: All versions
** Branch 8.2: FortiWLC 8.2.7 and below
** Branch 8.0: All versions
** Branch 8.2: FortiWLC 8.2.7 and below
** Branch 8.0: All versions
** Branch 7.0: FortiWLC 7.0.11 and below
** Previous branches: All versions
Solutions
For FortiGate Wifi models used under Wifi Client mode:
Upgrade to 5.2.12, 5.4.6 or 5.6.3 [**]
For FortiAP used as a mesh leaf:
Upgrade to FortiAP 5.2.7, 5.4.4 or 5.6.1 [**]
For Meru AP:
Apply special patches[*] to already released 8.3.3, 8.2.7 or 7.0.11
For FortiWLC:
Apply special patches[*] to already released 8.3.3, 8.2.7 or 7.0.11
[*] Reach out to your local TAC to request the special build and patches
[**] for the additional CVE-2017-13077 fix, refer to the UPDATE below
UPDATE: Accumulate fix for CVE-2017-13077:
To pass Wi-Fi Alliance Security Detection 2017 Test Plan Version 1.1, test case 4.1.5, the following product need to be specially upgraded to the following versions:
FortiOS 5.2 branch: upgrade to upcoming 5.2.14
FortiOS 5.4 branch: upgrade to FortiOS 5.4.9
FortiAP 5.6 branch: upgrade to FortiAP 5.6.2
UPDATE: AP side patch to prevent WPA2 KRACK attacks against vulnerable Wifi clients:
Fortinet is providing Access Point side protection to prevent WPA2 KRACK attacks against vulnerable Wifi Clients (regardless their brand or make), with the following released or upcoming product and versions:
FortiOS: From upcoming FortiOS 6.0.0
FortiAP: From FortiAP 5.6.2 and 5.4.4
Meru AP: From upcoming Meru AP 8.5.0
FortiWLC: From upcoming FortiWLC 8.4.0
When connected to the products and versions above, even third party Wifi Clients that are theoretically vulnerable to WPA2 KRACK attacks will actually become "not impacted", due to the protection provided by the Access Point.
Update History:
10-16-2017 Initial version
01-19-2018 Update accumulate fix info for CVE-2017-13077
01-19-2018 AP side patch to prevent WPA2 KRACK attacks against vulnerable Wifi clients