Wireless
Security Announcement (KRACK)
We are e-mailing to notify you of recent
industry research into WPA2 security vulnerabilities and provide
information on the impact to Aerohive Products that you have recently
purchased or may be in-use in managed services we provide to you.
On Monday 16 October 2017 the US CERT
published VU#228519 in response to a research paper from Mathy Vanhoef and KU Leuven
titled "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2",
which discussed vulnerabilities within the WPA2 standard itself. This
attack has been named KRACK (Key Reinstallation AttACKs)
and has its own website, at https://www.krackattacks.com/
These
vulnerabilities may allow the reinstallation of a pairwise transient key, a
group key, or an integrity key on either a wireless client or a wireless
access point. Additional research also led to the discovery of three
additional vulnerabilities (not discussed in the original paper) affecting
wireless supplicants supporting either the 802.11z (Extensions to
Direct-Link Setup) standard or the 802.11v (Wireless Network Management)
standard. The three additional vulnerabilities could also allow the
reinstallation of a pairwise key, group key, or integrity group key.
The set of
CVE numbers (CVE-2017-13077 thru CVE-2017-2017-13088) are broadly
applicable to all vendors of WiFi products,
including Aerohive.
Affected Aerohive Products & Versions
- Any access point running Aerohive
HiveOS versions 8.1r2 and lower are affected, as are Aerohive BR100 and
BR200 branch routers with integrated wifi.
- HiveManager Classic and HiveManager-NG
are NOT vulnerable and are not affected.
- Aerohive switches are NOT vulnerable to this and are not affected.
- Aerohive's stand-alone applications (StudentManager, HiveSchool,
etc) are not affected.
Details
Per the paper from the researchers, the main attack is against the
4-way handshake between the client and an access point, and does not
exploit access points but instead targets client devices. The issue is
with the ability to replay the 3rd phase of the 4-way handshake.
Even
when still running susceptible versions of HiveOS, UNLESS it is acting as a
mesh point or as a client to another access point, Aerohive does not
believe the integrity of an Aerohive access point or branch router can be
compromised by these attacks. Aerohive branch routers and access points
are not affected by these vulnerabilities when acting as a standard access
point.
Wi-Fi
Protected Access II (WPA2) handshake traffic can be manipulated to induce
nonce and session key reuse, resulting in key reinstallation by a victim
wireless access point (AP) or client. After establishing a
man-in-the-middle position between an AP and client, an attacker can
selectively manipulate the timing and transmission of messages in the WPA2
Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link
Setup (TDLS) PeerKey (TPK), or Wireless Network
Management (WNM) Sleep Mode handshakes, resulting in out-of-sequence
reception or retransmission of messages. Depending on the data
confidentiality protocols in use (e.g. TKIP, CCMP, and GCMP) and
situational factors, the effect of these manipulations is to reset nonces and replay counters and ultimately to reinstall
session keys. Key reuse facilitates arbitrary packet decryption and
injection, TCP connection hijacking, HTTP content injection, or the replay
of unicast, broadcast, and multicast frames.
This is a
preliminary advisory related to Aerohive products only - we expect other
vendors will provide detailed responses to this issue over the coming
weeks.
Impact
An attacker within the wireless communications range of an affected
AP and client may leverage these vulnerabilities to conduct attacks that
are dependent on the data confidentiality protocol being used. Attacks may
include arbitrary packet decryption and injection, TCP connection
hijacking, HTTP content injection, or the replay of unicast, broadcast, and
multicast frames.
What to do
Aerohive will be releasing new versions of HiveOS to remove any
exposure to these issues:
- HiveOS version 8.1r2a was made available on 16 October 2017, within 24
hours of the publish date of the vulnerability.
- HiveOS version 6.5r9 is in process and will be available no later than 20
October 2017.
- HiveOS version 6.7r4 is in process and will be available no later than 20
October 2017.
- AP121, AP141, AP170, BR200, AP130*, AP230*,
AP320, AP340, AP330, AP350, AP370, AP390, and AP1130* customers should
upgrade to HiveOS 6.5r9 when it becomes available.
- AP122, AP130*, AP150W, AP230*, AP245X, AP250, AP550, AP1130* customers
should upgrade to HiveOS 8.1r2a.
- AP130, AP230, and AP1130 customers can choose between HiveOS 6.5r9 and
HiveOS 8.1r2a.
Need help?
If you have a managed WiFi agreement
with Trust Systems a member of our technical team will be in touch to
provide further information and a personalised response plan to help secure
your environment.
If you do not have a managed WiFi contract and would like further information or
assistance please contact our service desk for guidance:
t. 08433 300 300
e. help@myitservicedesk.com
|