Pierluigi Paganini October 30, 2017

Many industrial networking devices from various vendors are still vulnerable to the recently disclosed KRACK attack (Key Reinstallation Attack).

Many industrial networking devices are vulnerable to the recently disclosed KRACK attack (Key Reinstallation Attack), including products from major vendors such as Cisco, Rockwell Automation, and Sierra Wireless.

A few weeks ago, researchers discovered several key management flaws in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet communications0 stealing sensitive information (i.e. credit card numbers, passwords, chat messages, emails, and pictures).

Below the full list of WPA2 Vulnerabilities discovered in the WPA2 protocol.

• CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
• CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
• CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
• CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
• CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
• CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
• CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
• CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
• CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
• CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

The above vulnerabilities affect products from tens of vendors, some of them are already working to fix the problems. Recently the Rockwell Automation announced to have patched its Stratix wireless access point against the KRACK vulnerability, while Microsoft addressed the issue with the October 2017 Patch Tuesday.

Sierra Wireless issued a security advisory to inform customers that many of its products, including access points and client devices, are affected by the vulnerabilities. The vendor plans to release security updates over the coming months. Siemens is still assessing its products for vulnerable devices.

WPA2 implementations are some industrial communications products are affected exposing the industrial devices to Krack attack.

Cisco confirmed that its access points and other wireless infrastructure components are affected only by the CVE-2017-13082.

Cisco published a security advisory to confirm that many products, including Cisco 829 Industrial Integrated Services routers and Industrial Wireless 3700 series access points, are affected by multiple vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II.

“Among these ten vulnerabilities, only one (CVE-2017-13082) may affect components of the wireless infrastructure (for example, Access Points), the other nine vulnerabilities affect only client devices. 
Multiple Cisco wireless products are affected by these vulnerabilities.” states the security advisory.

“Cisco will release software updates that address these vulnerabilities. There are workarounds that addresses the vulnerabilities in CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, and CVE-2017-13082. There are no workarounds for CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088.”

Cisco still hasn’t released security updates for the vulnerable industrial products, however, the tech giant suggested workarounds for some of the flaws.

Pierluigi Paganini

(Security Affairs – KRACK attack, Industrial Products)

[adrotate banner=”5″]

[adrotate banner=”13″]