Knowledge Search


×
 

Out-of-Cycle Security Bulletin: Multiple Products: Multiple vulnerabilities in Wi-Fi Protected Access (WPA1/WPA2) protocols (aka KRACK attack).

  [JSA10827] Show Article Properties


Product Affected:
This issue affects Junos OS 12.1X46. Affected platforms: SRX 210, 240 series firewalls with AX411 Wireless Access Points. This issue affects ScreenOS 6.3. Affected platforms: ScreenOS SSG-5 and SSG-20 devices with embedded Wireless Access Points radios. This issue affects WLAN 9.2, 9.6. Affected platforms: MSS.
Problem:

A series of Wi-Fi Protected Access (WPA/WPA1) and Wi-Fi Protected Access II (WPA2) security protocols used in Juniper’s SRX 210, 240 series firewalls which support the AX411 Access Points, ScreenOS SSG-5 and SSG-20 firewalls with integrated WiFi radios, and lastly, the WLAN product line have one or more vulnerabilities present when these Wi-Fi radios are enabled.

This is a series of protocol level vulnerabilities and not specific to any Juniper products. WPA and WPA2 security protocols are present in nearly all modern Wi-Fi products.

This issue affects all Juniper products, regardless of hardware or software revisions where Wi-Fi radio antenna's are present.

Successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network.

The following CVE IDs have been issued for each of the possible vulnerabilities:

CVE-2017-13077 reinstallation of the pairwise key in the Four-way handshake

CVE-2017-13078 reinstallation of the group key in the Four-way handshake

CVE-2017-13079 reinstallation of the integrity group key in the Four-way handshake

CVE-2017-13080 reinstallation of the group key in the Group Key handshake

CVE-2017-13081 reinstallation of the integrity group key in the Group Key handshake

Juniper's products do not support Fast BSS Transition Reassociation and PeerKey Handshake so are Not Vulnerable to CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, or CVE-2017-13088.

CVE-2017-13077 is currently being evaluated further.  The existing fixes for CVE-2017-13077 mitigate most but not attack vectors that can be exploited by a skilled attacker.

The research paper referenced in the related links section below can be reviewed for details.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered by an external security researcher.

No other Juniper Networks products or platforms are affected by this issue.

 

Solution:

WLAN

MSS 9.2.1, 9.6.5 have all fixes, with the exception of CVE-2017-13077 which is resolved for most attack scenarios.

Juniper will not be issuing fixes for any other products other than the WLAN series of products.   All other affected products other than WLAN should follow the workaround section to disable Wi-Fi radios.

This issue is being tracked as PR 1297300 and is visible on the Customer Support website.

Workaround:

There are no viable workarounds for these issues.

The following methods may be used to reduce the possibility of exploitation:

SRX 210, 240 series firewalls with AX411 Wireless Access Points:

Disabling all Wi-Fi configurations and setting all ports with AX411 Access Points administratively down will protect the SRX device from exploitation.

Customers may also physically disconnect the AX411 Wi-Fi Access Points from their network.

ScreenOS devices with embedded Wireless Access Points:

Disable all Wi-Fi configurations.

WLAN:

Disable all Wi-Fi Access Points until such time that the MSS can be upgraded.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
Modification History:

2017-10-16: Initial publication
2017-10-17: Updated not vulnerable section of problem to reflect not vulnerable to: CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, or CVE-2017-13088.  Removed SRX 650 reference which is EOE.
2017-10-25: Updated details regarding all products with Wi-Fi antenna's present are affected regardless of hardware or software versions.  Updated won't fix language for all products, except WLAN Series, Updated detail regarding partial fix available at this time for MSS for CVE-2017-13077.  Added ICASI to attribution list.

Related Links:
CVSS Score:
7.9 (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
Juniper SIRT would like to acknowledge and thank

   * researchers Mathy Vanhoef and Frank Piessens of DistriNet (Distributed Systems and Computer Networks) at the Computer Science department of the Katholieke Universiteit Leuven, Belgium for responsibly disclosing these vulnerabilities.
   * John A. Van Boxtel with Cyprus Semiconductor for finding that wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.
   * Industry Consortium for Advancement of Security on the Internet (ICASI) for coordinating the investigation and disclosure of these vulnerabilities between ICASI, non-ICASI members, and CERT-CC. More information about this issue can be found at http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities and membership information for ICASI may be found at https://www.icasi.org/join-icasi/ for organizations seeking to coordinate with Juniper and other ICASI members on multi-vendor disclosures.