Sid 1-44640

Report a false positive

Rule Category

POLICY-OTHER --

Alert Message

POLICY-OTHER WPA2 key reuse tool attempt

Rule Explanation

This event is generated when WPA2 attachk tools are found traversing a network. Impact: low Details: This rule catches several key components of the python script and scapy utilities found to attack WPA2 networks through key reuse Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13084 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088

Additional Links

papers.mathyvanhoef.com/ccs2017.pdf

Rule Vulnerability

CVE Additional Information

CVE-2017-13077
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
Details
Severity Base Score6.8
Impact Score5.2 Exploit Score1.6
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactNONE Access Vector
Authentication Ease of Access

Affected Systems
CVE-2017-13078
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.
Details
Severity Base Score5.3
Impact Score3.6 Exploit Score1.6
Confidentiality ImpactNONE Integrity ImpactHIGH
Availability ImpactNONE Access Vector
Authentication Ease of Access

Affected Systems
CVE-2017-13079
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.
Details
Severity Base Score5.3
Impact Score3.6 Exploit Score1.6
Confidentiality ImpactNONE Integrity ImpactHIGH
Availability ImpactNONE Access Vector
Authentication Ease of Access

Affected Systems
CVE-2017-13080
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.
Details
Severity Base Score5.3
Impact Score3.6 Exploit Score1.6
Confidentiality ImpactNONE Integrity ImpactHIGH
Availability ImpactNONE Access Vector
Authentication Ease of Access

Affected Systems
CVE-2017-13081
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.
Details
Severity Base Score5.3
Impact Score3.6 Exploit Score1.6
Confidentiality ImpactNONE Integrity ImpactHIGH
Availability ImpactNONE Access Vector
Authentication Ease of Access

Affected Systems
CVE-2017-13082
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
Details
Severity Base Score8.1
Impact Score5.2 Exploit Score2.8
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactNONE Access Vector
Authentication Ease of Access

Affected Systems
CVE-2017-13084
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
Details
Severity Base Score6.8
Impact Score5.2 Exploit Score1.6
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactNONE Access Vector
Authentication Ease of Access

Affected Systems
CVE-2017-13086
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
Details
Severity Base Score6.8
Impact Score5.2 Exploit Score1.6
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactNONE Access Vector
Authentication Ease of Access

Affected Systems
CVE-2017-13087
Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.
Details
Severity Base Score5.3
Impact Score3.6 Exploit Score1.6
Confidentiality ImpactNONE Integrity ImpactHIGH
Availability ImpactNONE Access Vector
Authentication Ease of Access

Affected Systems
CVE-2017-13088
Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.
Details
Severity Base Score5.3
Impact Score3.6 Exploit Score1.6
Confidentiality ImpactNONE Integrity ImpactHIGH
Availability ImpactNONE Access Vector
Authentication Ease of Access

Affected Systems