Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Out-of-Cycle Security Bulletin: Multiple Products: Multiple vulnerabilities in Wi-Fi Protected Access (WPA1/WPA2) protocols (aka KRACK attack).

0

0

Article ID: JSA10827 SECURITY_ADVISORIES Last Updated: 18 Jun 2018Version: 7.0
Product Affected:
This issue affects Junos OS 12.1X46. Affected platforms: SRX 210, 240 series firewalls with AX411 Wireless Access Points. This issue affects ScreenOS 6.3. Affected platforms: ScreenOS SSG-5 and SSG-20 devices with embedded Wireless Access Points radios. This issue affects WLAN 9.2, 9.6. Affected platforms: MSS, RingMaster.
Problem:

A series of Wi-Fi Protected Access (WPA/WPA1) and Wi-Fi Protected Access II (WPA2) security protocols used in Juniper’s SRX 210, 240 series firewalls which support the AX411 Access Points, ScreenOS SSG-5 and SSG-20 firewalls with integrated WiFi radios, and lastly, the WLAN product line have one or more vulnerabilities present when these Wi-Fi radios are enabled.

This is a series of protocol level vulnerabilities and not specific to any Juniper products. WPA and WPA2 security protocols are present in nearly all modern Wi-Fi products.

This issue affects all Juniper products, regardless of hardware or software revisions where Wi-Fi radio antenna's are present.

Successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network.

The following CVE IDs have been issued for each of the possible vulnerabilities:

CVE-2017-13077 reinstallation of the pairwise key in the Four-way handshake

CVE-2017-13078 reinstallation of the group key in the Four-way handshake

CVE-2017-13079 reinstallation of the integrity group key in the Four-way handshake

CVE-2017-13080 reinstallation of the group key in the Group Key handshake

CVE-2017-13081 reinstallation of the integrity group key in the Group Key handshake

Juniper's products do not support Fast BSS Transition Reassociation and PeerKey Handshake so are Not Vulnerable to CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, or CVE-2017-13088.

The research paper referenced in the related links section below can be reviewed for details.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered by an external security researcher.

No other Juniper Networks products or platforms are affected by this issue.

 

Solution:

WLAN:
MSS 9.2.1, 9.6.5 have all fixes, with the exception of certain scenarios involving CVE-2017-13077.
MSS 9.2 MR3 9.2.2.1, MSS 9.6 MR7 (9.6.6.1) and RingMaster 9.2 MR3 (9.2.5.1) has all fixes, including CVE-2017-13077.
For WLAN this issue is being tracked as PR 1297300 and 1315808 and is visible on the Customer Support website.

ScreenOS:
ScreenOS service release version 6.3.0r24b-6.1 has all fixes. ScreenOS 6.3.0r26, and all subsequent releases has all fixes.
For ScreenOS this issue is being tracked as PR 1299345 and is visible on the Customer Support website.

Juniper will not be issuing fixes for any other products.   All other affected products other than those listed fixed above should follow the workaround section to disable Wi-Fi radios.
 

Workaround:

There are no viable workarounds for these issues.

The following methods may be used to reduce the possibility of exploitation:

SRX 210, 240 series firewalls with AX411 Wireless Access Points:

Disabling all Wi-Fi configurations and setting all ports with AX411 Access Points administratively down will protect the SRX device from exploitation.

Customers may also physically disconnect the AX411 Wi-Fi Access Points from their network.

ScreenOS devices with embedded Wireless Access Points:

Disable all Wi-Fi configurations.

WLAN:

Disable all Wi-Fi Access Points until such time that the MSS / RM can be upgraded.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.  In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service  Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.
 
Modification History:
2017-10-16: Initial publication

2017-10-17: Updated not vulnerable section of problem to reflect not vulnerable to: CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, or CVE-2017-13088.  Removed SRX 650 reference which is EoE.

2017-10-25: Updated details regarding all products with Wi-Fi antenna's present are affected regardless of hardware or software versions.  Updated won't fix language for all products, except WLAN Series, Updated detail regarding partial fix available at this time for MSS for CVE-2017-13077.  Added ICASI to attribution list.

2018-02-12: Updated details regarding WLAN MSS, RingMaster fixes.  Updated detail regarding a service release for ScreenOS that has all fixes.  Removed won't fix language for ScreenOS.

2018-06-18: Updated details regarding ScreenOS fix, as well as MSS PRs.

CVSS Score:
7.9 (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
Juniper SIRT would like to acknowledge and thank

   * researchers Mathy Vanhoef and Frank Piessens of DistriNet (Distributed Systems and Computer Networks) at the Computer Science department of the Katholieke Universiteit Leuven, Belgium for responsibly disclosing these vulnerabilities.
   * John A. Van Boxtel with Cyprus Semiconductor for finding that wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.
   * Industry Consortium for Advancement of Security on the Internet (ICASI) for coordinating the investigation and disclosure of these vulnerabilities between ICASI, non-ICASI members, and CERT-CC. More information about this issue can be found at http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities and membership information for ICASI may be found at https://www.icasi.org/join-icasi/ for organizations seeking to coordinate with Juniper and other ICASI members on multi-vendor disclosures.

Related Links

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search