SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (VoIP/Phone/FAX)  >   Cisco IP Phones Vendors:   Cisco
Cisco IP Phones WPA/WPA2 Protocol Key Reinstallation Attack Lets Remote Users Access and Modify Data on the Target Wireless Network
SecurityTracker Alert ID:  1039578
SecurityTracker URL:  http://securitytracker.com/id/1039578
CVE Reference:   CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088   (Links to External Site)
Date:  Oct 16 2017
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Models 8821, 8861, 8865, DX 70, DX 80
Description:   Multiple vulnerabilities were reported in Cisco IP Phones. A remote user on the wireless network can access and modify data on the wireless network.

A remote user within range of the wireless network can record and replay retransmissions of part of the 802.11i 4-way handshake of the WPA and WPA2 protocols to force a reinstallation of the pairwise transient key, a group key, or an integrity key and force a reset of the incremental transmit packet number nonce and the receive replay counter. As a result, the remote user can replay encrypted packets, decrypt packets, and forge packets.

A remote user on the wireless network can reinstall the pairwise encryption key (PTK-TK) [CVE-2017-13077].

A remote user on the wireless network can reinstall the group key (GTK) [CVE-2017-13078, CVE-2017-13080].

A remote user on the wireless network can reinstall the integrity group key (IGTK) [CVE-2017-13079, CVE-2017-13081].

A remote user on the wireless network can reinstall the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake [CVE-2017-13086].

A remote user on the wireless network can reinstall the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13087].

A remote user on the wireless network can reinstall the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13088].

The vendor has assigned bug ID CSCvf71761 to these vulnerabilities for the DX Series IP Phones (DX 70, DX 80) when running Collaboration Endpoint (CE) software.

The vendor has assigned bug ID CSCvf71751 to these vulnerabilities for IP Phone 8861.

The vendor has assigned bug ID CSCvf71754 to these vulnerabilities for IP Phone 8865.

The vendor has assigned bug IDs CSCvg21098 and CSCvf71749 to these vulnerabilities for IP Phone 8821.

This set of vulnerabilities is referred to as KRACK (Key Reinstallation AttaCK).

The original advisory is available at:

https://papers.mathyvanhoef.com/ccs2017.pdf

Additional information is available at:

https://www.krackattacks.com/

[Editor's note: The vulnerabilities reside in the WPA and WPA2 protocol specification and are not due to incorrect vendor implementation of the standards.]

Mathy Vanhoef and Frank Piessens from Katholieke Universiteit Leuven reported these vulnerabilities.

Impact:   A remote user on the wireless network can access and modify data on the wireless network.
Solution:   A fix is available for the 8800 Series phone (for CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, and CVE-2017-13081).

No other solutions were available at the time of this entry.

The vendor advisory is available at:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa (Links to External Site)
Cause:   Access control error, State error

Message History:   None.


 Source Message Contents

Subject:  Cisco IP Phones



Cisco Wireless IP Phone 8821 [additional fixes] 	CSCvg21098

Cisco Wireless IP Phone 8821 	CSCvf71749


CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

CVE-2017-13077: reinstallation of the pairwise key in the 4-way handshake
CVE-2017-13078: reinstallation of the group key in the 4-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the 4-way handshake
CVE-2017-13080: reinstallation of the group key in the group key handshake
CVE-2017-13081: reinstallation of the integrity group key in the group key handshake
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC