On Monday 16 October 2017 the US CERT published VU#228519 in response to a research paper from Mathy Vanhoef and KU Leuven titled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”, which discussed vulnerabilities within the WPA2 standard itself. This attack has been named KRACK (Key Reinstallation AttACKs) and has its own website, at https://www.krackattacks.com/
These vulnerabilities may allow the reinstallation of a pairwise transient key, a group key, or an integrity key on either a wireless client or a wireless access point. Additional research also led to the discovery of three additional vulnerabilities (not discussed in the original paper) affecting wireless supplicants supporting either the 802.11z (Extensions to Direct-Link Setup) standard or the 802.11v (Wireless Network Management) standard. The three additional vulnerabilities could also allow the reinstallation of a pairwise key, group key, or integrity group key.
The set of CVE numbers (CVE-2017-13077 thru CVE-2017-2017-13088) are broadly applicable to all vendors of wifi products, including Aerohive. Out of these CVEs, 9 are directly related to clients but can be mitigated with AP software updates. The one CVE related to AP or Infrastructure equipment is regarding 802.11r Fast Roaming, which can be addressed by temporarily disabling it in customer networks who are unable to promptly update their access points.
Per the paper from the researchers, the main attack is against the 4-way handshake between the client and an access point, and does not exploit access points but instead targets client devices. The issue is with the ability to replay the 3rd phase of the 4-way handshake.
Even when still running susceptible versions of HiveOS, UNLESS it is acting as a mesh point or as a client to another access point, Aerohive does not believe the integrity of an Aerohive access point or branch router can be compromised by these attacks. Aerohive branch routers and access points are not affected by 9 of these 10 vulnerabilities when acting as a standard access point. The 10th vulnerability related to 802.11r Fast Roaming is not supported in all versions of HiveOS, and can be disabled in access points as a temporary measure until the vulnerable version of software has been updated.
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a victim wireless access point (AP) or client. After establishing a man-in-the-middle position between an AP and client, an attacker can selectively manipulate the timing and transmission of messages in the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence reception or retransmission of messages. Depending on the data confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP) and situational factors, the effect of these manipulations is to reset nonces and replay counters and ultimately to reinstall session keys. Key reuse facilitates arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.
This is a preliminary advisory. This is the final advisory.
An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.
AP110, AP120, AP121, AP141, AP170, BR100, BR200*, AP130*, AP230*, AP320, AP340, AP330, AP350, AP370, AP390, and AP1130* customers should upgrade to HiveOS 6.5r8b immediately.
AP122, AP130*, AP150W, AP230*, AP245X, AP250, AP550, AP1130* customers should upgrade to HiveOS 8.1r2a immediately.
AP130, AP230, and AP1130 customers can choose between HiveOS 6.5r8a and HiveOS 8.1r2a.
BR200 customers can choose between HiveOS 6.5r8b and HiveOS 6.7r2b.
Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.
This advisory will be posted on Aerohive’s website at:
Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revision 1.0 / 2017-10-16 / Initial release
Revision 2.0 / 2017-10-17 / Corrections to HiveOS versions/platforms/availability dates, URLs, and additional details
Revision 3.0 / 2017-10-31 / Final revision, updated applicable HiveOS versions
AEROHIVE PSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at:
For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at:
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
© Copyright 2017 Aerohive, Inc.
This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.