Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.3185 AirPort Base Station Firmware Update 7.7.9 13 December 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apple AirPort Base Station (with 802.11ac) Publisher: Apple Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-13080 CVE-2017-13078 CVE-2017-13077 CVE-2017-9417 Original Bulletin: https://support.apple.com/en-au/HT208354 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-12-12-2 AirPort Base Station Firmware Update 7.7.9 AirPort Base Station Firmware Update 7.7.9 is now available and addresses the following: AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-9417: Nitay Artenstein of Exodus Intelligence AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: An attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients (Key Reinstallation Attacks - KRACK) Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management. CVE-2017-13077: Mathy Vanhoef of the imec-DistriNet group at KU Leuven CVE-2017-13078: Mathy Vanhoef of the imec-DistriNet group at KU Leuven AirPort Base Station Firmware Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK) Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management. CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven Installation note: Firmware version 7.7.9 is installed on AirPort Extreme or AirPort Time Capsule base stations with 802.11ac using AirPort Utility for Mac or iOS. AirPort Utility for Mac is a free download from https://support.apple.com/downloads/ and AirPort Utility for iOS is a free download from the App Store. - -----BEGIN PGP SIGNATURE----- iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAlowGCIpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEaeLxAA kulHMKbWoRlguzlQWGhdS4hXLD02MvBz0Sc8NGCyp66N+THvc+uBnbfo283E+z01 eL7gqpMGgJ5cs7EVCCGtHMreg330d+9IiiSgbB2GZxddyc8pKymhYPstKtJazTWa 4NvnBCW2pzcmDieAyuhKRVxvqKRbTHsc0qfPPyKIB8KIh4L6KlcOWrdxbLK02qxi 5I7jEh5U41v3Z1ZXdmypqwM7M/Pur6IMmR4fHeA4fxH0BVq6uyiG88mOkfk3QHSJ hHafQSQraPrmDbFvDB4hUZs/0rXPWcQ0FoQupMhcE2tgzc4/AL1BPYrkymEp9Y5J bpKfOFCrRKSoqNs7vyq7BmWohwkXao427USAMNTwNsC8eANtVtYSVgINaw+vzt6d xvNN6uul88v36Ta5EKHgAcV8uhcv83VH7NLzHJzdsHAychN+FsOVlXSgUNFM6S4a n6/7HgZIGFPhSnkyywryax+9YrEkSaa9z1lFnhpMjwNLt1VGU6bUvpfLlNQS39L0 6YkY/qqlGdrI3OYBUae01oopK35rJi9S+kpTy/09eIb99s72aJHwrXr93UYJJlxg pYFtiucmkQJCOa048OsK3MFBr65F5scDMdTQlePThnjc5XFVP5/H1zWEHtOvVMO2 6iDe0wzR8ykyW2/o4Jv0w4cgLCiEyjsjWh95F1uyDLo= =ri7s - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWjC5Dox+lLeg9Ub1AQijoQ/9FRKnszsJVJgh4cx/TLCyki0qS7tzoVyD 2ph/rGWH8CRpN35hm+RxyU4WCOhMFMLkCliVAv/n2BVwCVZN1ji2FOxBipiuSPv5 nbazMwm2dPIe8Ap3M7bpmBFCOzAW5rN54XceP+6WBFwcywtKqgHKxGP4kTrCVpV1 Svzm1tomI5RujP2/e3SPwuxsVxRcZmC86itGmYaMAH0Un8oAqgdQClqZFuX3HH1y K6X1xmi3m4dHl7o7kGCWL72MnHyJrRr6mol7C9RjoO/KidbrYOTOKaFns2n+V3Vj fiNpxSSjbzJ5mcxtbdCXH4Wt3VrRqXgLkdMQt7AUlMSdMS3ak0aXjr/wfHH9zRfG OF8eKMkVw0DL8b4zhSBQtdFmEykpHhuNyv7nL3YF+R3VjVVNKeP5c2f6FTOX+tQj e//CBqkhec31yEPvfyPyjyqu8wyMoJzZUSVEd2GNJxiQJX2npJKYA/4Cot16v40r vTlbj9t3EbipnyUMCze302TjVv6YJLOGStA/c/KouJ/Jh6AS12DMrWCs2FzGhNNw NCjggIrn52B/l+HlxnCBEVmJ+4zcm8HMz45gh/KsL+1gUHi2ticEZA+INf7NsNam IltYq1sd1JJRme7U4LEU2VHPuQHLX6l8uHhVtyyCc0dRZvVvYmS3ZMzPqZZW0GYd BAowGTDQoNQ= =Gt8o -----END PGP SIGNATURE-----