(FreeBSD Issues Fix) wpa_supplicant WPA/WPA2 Protocol Key Reinstallation Attack Lets Remote Users Access and Modify Data on the Target Wireless Network
SecurityTracker Alert ID: 1039609|
SecurityTracker URL: http://securitytracker.com/id/1039609
CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
(Links to External Site)
Updated: Oct 19 2017|
Original Entry Date: Oct 18 2017
Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 2.6 and prior|
Multiple vulnerabilities were reported in wpa_supplicant. A remote user on the wireless network can access and modify data on the wireless network.|
A remote user within range of the wireless network can record and replay retransmissions of part of the 802.11i 4-way handshake of the WPA and WPA2 protocols to force a reinstallation of the pairwise transient key, a group key, or an integrity key and force a reset of the incremental transmit packet number nonce and the receive replay counter. As a result, the remote user can replay encrypted packets, decrypt packets, and forge packets.
Both client systems and access points are affected.
A remote user on the wireless network can reinstall the pairwise encryption key (PTK-TK) [CVE-2017-13077].
A remote user on the wireless network can reinstall the group key (GTK) [CVE-2017-13078, CVE-2017-13080].
A remote user on the wireless network can reinstall the integrity group key (IGTK) [CVE-2017-13079, CVE-2017-13081].
A remote user on the wireless network can retransmit the Fast BSS Transition (FT) Reassociation Request and reinstall the pairwise encryption key (PTK-TK) [CVE-2017-13082].
A remote user on the wireless network can reinstall the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake [CVE-2017-13086].
A remote user on the wireless network can reinstall the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13087].
A remote user on the wireless network can reinstall the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13088].
This set of vulnerabilities is referred to as KRACK (Key Reinstallation AttaCK).
The original advisory is available at:
Additional information is available at:
Mathy Vanhoef and Frank Piessens from Katholieke Universiteit Leuven reported these vulnerabilities. John Van Boxtel from Cypress reported one vulnerability.
[Editor's note: The vulnerabilities reside in the WPA and WPA2 protocol specification and are not due to incorrect vendor implementation of the standards.]
A remote user on the wireless network can access and modify data on the wireless network.|
FreeBSD has issued a fix.|
The FreeBSD advisory is available at:
Vendor URL: security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc (Links to External Site)
Access control error, State error|
|Underlying OS: UNIX (FreeBSD)|
|Underlying OS Comments: 10.3, 10.4, 11.0, 11.1|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: FreeBSD Security Advisory FreeBSD-SA-17:07.wpa|
-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-17:07.wpa Security Advisory
The FreeBSD Project
Topic: WPA2 protocol vulnerability
Credits: Mathy Vanhoef
Affects: All supported versions of FreeBSD.
Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE)
2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2)
2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13)
CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
Wi-Fi Protected Access II (WPA2) is a security protocol developed by the
Wi-Fi Alliance to secure wireless computer networks.
hostapd and wpa_supplicant are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.
II. Problem Description
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
Such reinstallation of the encryption key can result in two different
types of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
An updated version of wpa_supplicant is available in the FreeBSD Ports
Collection. Install version 2.6_2 or later of the
security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf
to use the new binary:
and restart networking.
An updated version of hostapd is available in the FreeBSD Ports
Collection. Install version 2.6_1 or later of the net/hostapd port/pkg.
Once installed, update /etc/rc.conf to use the new binary:
and restart hostapd.
Patches are currently available for stable/11, releng/11.0, and
releng/11.1. Patches for stable/10, releng/10.3, and releng/10.4 are
still being evaluated.
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the Wi-Fi network interfaces/hostapd or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"
Go to the Top of This SecurityTracker Archive Page