Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II in Cisco products

1) Key management errors

EUVDB-ID: #VU8837

Risk: High

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2017-13077

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to force a supplicant to reinstall a previously used pairwise key.

The weakness exists in the processing of the 802.11i 4-way handshake messages of the WPA and WPA2 protocols due to ambiguities in the processing of associated protocol messages. An adjacent attacker can use man-in-the-middle techniques to retransmit previously used message exchanges between supplicant and authenticator.

Mitigation

Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

Cisco Meraki: MR11 - MR84

Cisco WAP561: All versions

Cisco WAP551: All versions

Cisco WAP371: All versions

Cisco WAP321: All versions

Cisco WAP121: All versions

Cisco ASA 5506W-X w: All versions

Cisco Wireless IP Phone 8821: All versions

Cisco Spark Room Series: All versions

Cisco IP Phone 8865: All versions

Cisco IP Phone 8861: All versions

Cisco DX80 Series IP Phones: All versions

Cisco DX70 Series IP Phones: All versions

Aironet: AP801 - 3800 Series

CPE2.3

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Key management errors

EUVDB-ID: #VU8838

Risk: High

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2017-13078

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to force a supplicant to reinstall a previously used group key.

The weakness exists in the processing of the 802.11i 4-way handshake messages of the WPA and WPA2 protocols due to ambiguities in the processing of associated protocol messages. An adjacent attacker can use man-in-the-middle techniques to retransmit previously used message exchanges between supplicant and authenticator.

Mitigation

Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

Cisco Meraki: MR11 - MR84

Cisco WAP561: All versions

Cisco WAP551: All versions

Cisco WAP371: All versions

Cisco WAP321: All versions

Cisco WAP121: All versions

Cisco ASA 5506W-X w: All versions

Cisco Wireless IP Phone 8821: All versions

Cisco Spark Room Series: All versions

Cisco IP Phone 8865: All versions

Cisco IP Phone 8861: All versions

Cisco DX80 Series IP Phones: All versions

Cisco DX70 Series IP Phones: All versions

Aironet: AP801 - 3800 Series

CPE2.3

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Key management errors

EUVDB-ID: #VU8839

Risk: High

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2017-13079

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to force a supplicant to reinstall a previously used integrity group key.

The weakness exists in the processing of the 802.11i 4-way handshake messages of the WPA and WPA2 protocols due to ambiguities in the processing of associated protocol messages. An adjacent attacker can use man-in-the-middle techniques to retransmit previously used message exchanges between supplicant and authenticator.

Mitigation

Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

Cisco Meraki: MR11 - MR84

Cisco WAP561: All versions

Cisco WAP551: All versions

Cisco WAP371: All versions

Cisco WAP321: All versions

Cisco WAP121: All versions

Cisco ASA 5506W-X w: All versions

Cisco Wireless IP Phone 8821: All versions

Cisco Spark Room Series: All versions

Cisco IP Phone 8865: All versions

Cisco IP Phone 8861: All versions

Cisco DX80 Series IP Phones: All versions

Cisco DX70 Series IP Phones: All versions

Aironet: AP801 - 3800 Series

CPE2.3

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Key management errors

EUVDB-ID: #VU8840

Risk: Medium

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2017-13080

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to force a supplicant to reinstall a previously used group key.

The weakness exists in the processing of the 802.11i 4-way handshake messages of the WPA and WPA2 protocols due to ambiguities in the processing of associated protocol messages. An adjacent attacker can use man-in-the-middle techniques to retransmit previously used message exchanges between supplicant and authenticator.

The vulnerability is dubbed "KRACK" attack.

Mitigation

Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

Cisco Meraki: MR11 - MR84

Cisco WAP561: All versions

Cisco WAP551: All versions

Cisco WAP371: All versions

Cisco WAP321: All versions

Cisco WAP121: All versions

Cisco ASA 5506W-X w: All versions

Cisco Wireless IP Phone 8821: All versions

Cisco Spark Room Series: All versions

Cisco IP Phone 8865: All versions

Cisco IP Phone 8861: All versions

Cisco DX80 Series IP Phones: All versions

Cisco DX70 Series IP Phones: All versions

Aironet: AP801 - 3800 Series

CPE2.3

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Key management errors

EUVDB-ID: #VU8841

Risk: High

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2017-13081

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to force a supplicant to reinstall a previously used integrity group key.

The weakness exists in the processing of the 802.11i 4-way handshake messages of the WPA and WPA2 protocols due to ambiguities in the processing of associated protocol messages. An adjacent attacker can use man-in-the-middle techniques to retransmit previously used message exchanges between supplicant and authenticator.

Mitigation

Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

Cisco Meraki: MR11 - MR84

Cisco WAP561: All versions

Cisco WAP551: All versions

Cisco WAP371: All versions

Cisco WAP321: All versions

Cisco WAP121: All versions

Cisco ASA 5506W-X w: All versions

Cisco Wireless IP Phone 8821: All versions

Cisco Spark Room Series: All versions

Cisco IP Phone 8865: All versions

Cisco IP Phone 8861: All versions

Cisco DX80 Series IP Phones: All versions

Cisco DX70 Series IP Phones: All versions

Aironet: AP801 - 3800 Series

CPE2.3

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

6) Key management errors

EUVDB-ID: #VU8842

Risk: High

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2017-13082

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to force a supplicant to reinstall a previously used pairwise key.

The weakness exists in the processing of the 802.11i 4-way handshake messages of the WPA and WPA2 protocols due to ambiguities in the processing of associated protocol messages. An adjacent attacker can use man-in-the-middle techniques to retransmit previously used message exchanges between supplicant and authenticator.

Mitigation

As a temporary solution the vendor has suggested the following workaround: - If no interactive applications such as Voice over IP (VoIP) or video are being used on the network, you can disable 11r support on the access point. - If VoIP applications are in use but the supplicants support CCKM (for example, Cisco Wireless Phones) - you can disable 11r support and reconfigure the clients to use CCKM (Cisco Centralized Key Management), which should provide a similar roaming experience. NOTE: Disabling 11r support may have negative performance and availability impact on the network. Customers should verify that disabling 11r would not negatively impact their environment before performing such configuration change on their infrastructure devices.

Vulnerable software versions

Cisco Meraki: MR11 - MR84

Cisco WAP561: All versions

Cisco WAP551: All versions

Cisco WAP371: All versions

Cisco WAP321: All versions

Cisco WAP121: All versions

Cisco ASA 5506W-X w: All versions

Cisco Wireless IP Phone 8821: All versions

Cisco Spark Room Series: All versions

Cisco IP Phone 8865: All versions

Cisco IP Phone 8861: All versions

Cisco DX80 Series IP Phones: All versions

Cisco DX70 Series IP Phones: All versions

Aironet: AP801 - 3800 Series

CPE2.3

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

7) Key management errors

EUVDB-ID: #VU8845

Risk: High

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2017-13086

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to force a supplicant that is compliant with the 802.11z standard to reinstall a previously used TPK key.

The weakness exists in the processing of the 802.11z (Extensions to Direct-Link Setup) TDLS handshake messages due to ambiguities in the processing of associated protocol messages. An adjacent attacker can passively eavesdrop on a TDLS handshake and retransmit previously used message exchanges between supplicant and authenticator.

Mitigation

Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

Cisco Meraki: MR11 - MR84

Cisco WAP561: All versions

Cisco WAP551: All versions

Cisco WAP371: All versions

Cisco WAP321: All versions

Cisco WAP121: All versions

Cisco ASA 5506W-X w: All versions

Cisco Wireless IP Phone 8821: All versions

Cisco Spark Room Series: All versions

Cisco IP Phone 8865: All versions

Cisco IP Phone 8861: All versions

Cisco DX80 Series IP Phones: All versions

Cisco DX70 Series IP Phones: All versions

Aironet: AP801 - 3800 Series

CPE2.3

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

8) Key management errors

EUVDB-ID: #VU8846

Risk: High

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2017-13087

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to force a supplicant that is compliant with the 802.11v standard to reinstall a previously used group key.

The weakness exists in the processing of the 802.11v (Wireless Network Management) Sleep Mode Response frames due to ambiguities in the processing of associated protocol messages. An adjacent attacker can passively eavesdrop and retransmit previously used WNM Sleep Mode Response frames.

Mitigation

Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

Cisco Meraki: MR11 - MR84

Cisco WAP561: All versions

Cisco WAP551: All versions

Cisco WAP371: All versions

Cisco WAP321: All versions

Cisco WAP121: All versions

Cisco ASA 5506W-X w: All versions

Cisco Wireless IP Phone 8821: All versions

Cisco Spark Room Series: All versions

Cisco IP Phone 8865: All versions

Cisco IP Phone 8861: All versions

Cisco DX80 Series IP Phones: All versions

Cisco DX70 Series IP Phones: All versions

Aironet: AP801 - 3800 Series

CPE2.3

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

9) Key management errors

EUVDB-ID: #VU8847

Risk: High

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2017-13088

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to force a supplicant that is compliant with the 802.11v standard to reinstall a previously used integrity group key.

The weakness exists in the processing of the 802.11v (Wireless Network Management) Sleep Mode Response frames due to ambiguities in the processing of associated protocol messages. An adjacent attacker can passively eavesdrop and retransmit previously used WNM Sleep Mode Response frames.

Mitigation

Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

Cisco Meraki: MR11 - MR84

Cisco WAP561: All versions

Cisco WAP551: All versions

Cisco WAP371: All versions

Cisco WAP321: All versions

Cisco WAP121: All versions

Cisco ASA 5506W-X w: All versions

Cisco Wireless IP Phone 8821: All versions

Cisco Spark Room Series: All versions

Cisco IP Phone 8865: All versions

Cisco IP Phone 8861: All versions

Cisco DX80 Series IP Phones: All versions

Cisco DX70 Series IP Phones: All versions

Aironet: AP801 - 3800 Series

CPE2.3

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Risk	High
Patch available	NO
Number of vulnerabilities	9
CVE-ID	CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088
CWE-ID	CWE-320
Exploitation vector	Local network
Public exploit	Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #8 is available. Public exploit code for vulnerability #9 is available.
Vulnerable software	Cisco Meraki Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco WAP561 Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco WAP551 Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco WAP371 Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco WAP321 Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco WAP121 Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco ASA 5506W-X w Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco Spark Room Series Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco IP Phone 8865 Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco IP Phone 8861 Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco DX80 Series IP Phones Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco DX70 Series IP Phones Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco Wireless IP Phone 8821 Hardware solutions / Office equipment, IP-phones, print servers Aironet Hardware solutions / Firmware
Vendor	Cisco Systems, Inc