PSIRT Advisory

Key Reinstallation Attacks: Cryptographic/protocol attack against WPA2

Summary

Several vulnerabilities affect the Wi-Fi Protected Access II (WPA2) protocol, potentially enabling Man-in-the-Middle (MitM) attacks between Wifi Clients and Access Points running WPA2 . The impact  includes decryption, packet replay, TCP connection hijacking and HTTP content injection.

The related CVEs are:
1. CVE-2017-13077: reinstallation of the pairwise key in the 4-way handshake
2. CVE-2017-13078: reinstallation of the group key in the 4-way handshake
3. CVE-2017-13079: reinstallation of the integrity group key in the 4-way handshake
4. CVE-2017-13080: reinstallation of the group key in the group key handshake
5. CVE-2017-13081: reinstallation of the integrity group key in the group key handshake
6. CVE-2017-13082: accepting a retransmitted FT Reassociation Request and reinstalling the pairwise key while processing it
7. CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
8. CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
9. CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
10. CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

Impact

Man-in-the-Middle attacks

Affected Products

1. FortiGate:

Those issues may only affect FortiGate Wifi models used under Wifi Client mode. Specifically:

* FortiGates are not affected by CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088

* All other CVEs (CVE-2017-13077,  CVE-2017-13078, CVE-2017-13079,  CVE-2017-13080,  CVE-2017-13081) affect FortiGates running the following versions:

** Branch 5.6: FortiOS 5.6.2 and below
** Branch 5.4: FortiOS 5.4.5 and below
** Branch 5.2: FortiOS 5.2.11 and below
** Previous branches: All versions

2. FortiAP:

Those issues may only affect FortiAP working as a mesh leaf. Specifically:

* FortiAP is not affected by CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088

* All other CVEs (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,  CVE-2017-13080,  CVE-2017-13081) affect FortiAP running the following firmware versions:

** Branch 5.6: FortiAP 5.6.0
** Branch 5.4: FortiAP 5.4.3 and below
** Branch 5.2: FortiAP 5.2.6 and below
** Previous branches: All versions

3. Meru AP:

Meru AP is affected when working in Mesh mode or when Service assurance module (SAM) is enabled or when 801.11r is enabled. Specifically:

* Meru AP is not affected by CVE-2017-13081, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088

* Meru AP is affected by CVE-2017-13082 when 802.11r is enabled and only with 11ac/wave2 APs. The affected versions are:

** Branch 8.3: Meru AP 8.3.3 and below
** Branch 8.2: Meru AP 8.2.7 and below
** Branch 8.0: All versions

* Meru AP is affected by CVE-2017-13077, CVE-2017-13078, CVE-2017-13079 and CVE-2017-13080 when under WPA2 security profile with the AP in client mode (under Mesh mode or when SAM enabled). The affected versions are:

** Branch 8.3: Meru AP 8.3.3 and below
** Branch 8.2: Meru AP 8.2.7 and below
** Branch 8.0: All versions
** Branch 7.0: Meru AP 7.0.11 and below
** Previous branches: All versions

4. FortiWLC:

FortiWLC is affected when working in Mesh mode or when Service assurance module (SAM) is enabled or when 801.11r is enabled. Specifically:

* FortiWLC is not affected by CVE-2017-13081, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088

* FortiWLC is affected by CVE-2017-13082 when 802.11r is enabled and only with 11ac/wave2 APs. The affected versions are:

** Branch 8.3: FortiWLC 8.3.3 and below
** Branch 8.2: FortiWLC 8.2.7 and below
** Branch 8.0: All versions

* FortiWLC is affected by CVE-2017-13077, CVE-2017-13078, CVE-2017-13079 and CVE-2017-13080 when under WPA2 security profile with the AP in client mode (under Mesh mode or when SAM enabled). The affected versions are:

** Branch 8.3: FortiWLC 8.3.3 and below
** Branch 8.2: FortiWLC 8.2.7 and below
** Branch 8.0: All versions
** Branch 7.0: FortiWLC 7.0.11 and below
** Previous branches: All versions

Solutions

For FortiGate Wifi models used under Wifi Client mode:

Upgrade to 5.2.12, 5.4.6 or 5.6.3 [**]

For FortiAP used as a mesh leaf:

Upgrade to FortiAP 5.2.7, 5.4.4 or 5.6.1 [**]

For Meru AP:

Apply special patches[*] to already released 8.3.3, 8.2.7 or 7.0.11

For FortiWLC:

Apply special patches[*] to already released 8.3.3, 8.2.7 or 7.0.11

[*] Reach out to your local TAC to request the special build and patches
[**] for the additional CVE-2017-13077 fix, refer to the UPDATE  below

UPDATE: Accumulate fix for CVE-2017-13077:

To pass Wi-Fi Alliance Security Detection 2017 Test Plan Version 1.1, test case 4.1.5, the following product need to be specially upgraded to the following versions:

FortiOS 5.2 branch: upgrade to upcoming 5.2.14
FortiOS 5.4 branch: upgrade to FortiOS 5.4.9
FortiAP 5.6 branch:  upgrade to FortiAP 5.6.2

UPDATE: AP side patch to prevent WPA2 KRACK attacks against vulnerable Wifi clients:

Fortinet is providing Access Point side protection to prevent WPA2 KRACK attacks against vulnerable Wifi Clients (regardless their brand or make), with the following released or upcoming product and versions:

FortiOS: From upcoming FortiOS 6.0.0
FortiAP: From FortiAP 5.6.2 and 5.4.4
Meru AP: From upcoming Meru AP 8.5.0
FortiWLC: From upcoming FortiWLC 8.4.0

When connected to the products and versions above, even third party Wifi Clients that are theoretically vulnerable to WPA2 KRACK attacks will actually become "not impacted", due to the protection provided by the Access Point.

Update History:
10-16-2017 Initial version
01-19-2018 Update accumulate fix info for CVE-2017-13077
01-19-2018 AP side patch to prevent WPA2 KRACK attacks against vulnerable Wifi clients