Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2628
Out-of-Cycle Security Bulletin: Multiple Products: Multiple vulnerabilities
in Wi-Fi Protected Access (WPA1/WPA2) protocols (aka KRACK attack).
19 October 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Juniper Junos OS
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-13088 CVE-2017-13087 CVE-2017-13086
CVE-2017-13084 CVE-2017-13082 CVE-2017-13081
CVE-2017-13080 CVE-2017-13079 CVE-2017-13078
CVE-2017-13077
Reference: ESB-2017.2620
ESB-2017.2601
ESB-2017.2600
ESB-2017.2599
Original Bulletin:
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10827&actp=RSS
- --------------------------BEGIN INCLUDED TEXT--------------------
Out-of-Cycle Security Bulletin: Multiple Products: Multiple vulnerabilities in
Wi-Fi Protected Access (WPA1/WPA2) protocols (aka KRACK attack).
Categories:
Junos
Security Products
Firewalls ISG/NS/SSG Series
SSG-5
SSG-20
SRX Series
SRX210
SRX240
SIRT Advisory
Article ID: JSA10827
Last Updated: 17 Oct 2017
Version: 4.0
PRODUCT AFFECTED:
This issue affects Junos OS 12.1X46. Affected platforms: SRX 210, 240 series
firewalls with AX411 Wireless Access Points. This issue affects ScreenOS 6.3.
Affected platforms: ScreenOS SSG-5 and SSG-20 devices with embedded Wireless
Access Points radios. This issue affects WLAN 9.2, 9.6. Affected platforms:
MSS.
PROBLEM:
A series of Wi-Fi Protected Access (WPA/WPA1) and Wi-Fi Protected Access II
(WPA2) security protocols used in Junipers SRX 210, 240 series firewalls which
support the AX411 Access Points, ScreenOS SSG-5 and SSG-20 firewalls with
integrated WiFi radios, and lastly, the WLAN product line have one or more
vulnerabilities present when these Wi-Fi radios are enabled.
This is a series of protocol level vulnerabilities and not specific to any
Juniper products. WPA and WPA2 security protocols are present in nearly all
modern Wi-Fi products.
Successful exploitation of these vulnerabilities could allow unauthenticated
attackers to perform packet replay, decrypt wireless packets, and to
potentially forge or inject packets into a wireless network.
The following CVE IDs have been issued for each of the possible
vulnerabilities:
CVE-2017-13077 reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078 reinstallation of the group key in the Four-way handshake
CVE-2017-13079 reinstallation of the integrity group key in the Four-way
handshake
CVE-2017-13080 reinstallation of the group key in the Group Key handshake
CVE-2017-13081 reinstallation of the integrity group key in the Group Key
handshake
Juniper's products do not support Fast BSS Transition Reassociation and
PeerKey Handshake so are Not Vulnerable to CVE-2017-13082, CVE-2017-13084,
CVE-2017-13086, CVE-2017-13087, or CVE-2017-13088.
The research paper referenced in the related links section below can be
reviewed for details.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was discovered by an external security researcher.
No other Juniper Networks products or platforms are affected by this issue.
SOLUTION:
WLAN
MSS 9.2.1, 9.6.5, and all subsequent releases.
This issue is being tracked as PR 1297300 and is visible on the Customer
Support website.
WORKAROUND:
There are no viable workarounds for these issues.
The following methods may be used to reduce the possibility of exploitation:
SRX 210, 240 series firewalls with AX411 Wireless Access Points:
Disabling all Wi-Fi configurations and setting all ports with AX411 Access
Points administratively down will protect the SRX device from exploitation.
Customers may also physically disconnect the AX411 Wi-Fi Access Points from
their network.
ScreenOS devices with embedded Wireless Access Points:
Disable all Wi-Fi configurations.
WLAN:
Disable all Wi-Fi Access Points until such time that the MSS can be upgraded.
IMPLEMENTATION:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.
MODIFICATION HISTORY:
Modification History:
2017-10-16: Initial publication
2017-10-17: Updated not vulnerable section of problem to reflect not
vulnerable to: CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087,
or CVE-2017-13088. Removed SRX 650 reference which is EOE.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
https://papers.mathyvanhoef.com/ccs2017.pdf
AX411 Access Point Hardware
CVSS SCORE:
7.9 (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
ACKNOWLEDGEMENTS:
Juniper SIRT would like to acknowledge and thank
* researchers Mathy Vanhoef and Frank Piessens of DistriNet (Distributed
Systems and Computer Networks) at the Computer Science department of the
Katholieke Universiteit Leuven, Belgium for responsibly disclosing these
vulnerabilities.
* John A. Van Boxtel with Cyprus Semiconductor for finding that
wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWefzrYx+lLeg9Ub1AQiXsA/+JYEYsWawVknWgWhWeK9errF4051a3SX9
iEnZhYKY5Y0jHs3Mcl09SdO9AQKIjNj2j3X83bOe1HhiTUlzVA17L4z7Fr01u/b0
IZatvfjNBMaoMqqblU7YcrWc88pchRY7ei+w8n5/DzBQfhwP9i58ZyLzsioHzvlm
Q7xU85fMYWzZUIPeaIwGD5VOfs11umKd3vCWTtVOG6419JtrZ6hE0Jl2C3kJSGK9
4Ri65mwOeu+4EbTuppu12+x/eDnarpUD+XoApIRNw4/eN3XSiT9XNY+fpblni0Hi
ZWXXCblscVm9aEwnHYbwuM8mPWf4th7LZDCuwH7ww78ott+WEU6VaHy71/SqXZTm
db08RvpFVioL/KIp2pujKrV6pkliK9HwYlFwQwKvyJhL10in+kcs+HRS9WpxnI+H
5tG7KooKEfLxniFCcGOdduN1fYgWvOBIek3y0H0zBZQi/aouRQmw8SZlS5g+pvec
FRqUDL/N5HSkRnGEjehNmYw8adftzcJzMm7h6RQw1vxznBXU05+awRAucMPE2GPr
JIdUqtgzyyBDLU5dsKz1YhDsxc3hHBVG+v4wxABE564fpc2rcZTyb8DyvGXRspB4
T360qmKqdoA59ef3bVA/pqhuzn0T10xIaMyjVFYFh65HPcx3rJ1Ci2PPHFoAem7d
+SdOm/rw7KM=
=G44G
-----END PGP SIGNATURE-----