Think you have a false positive on this rule?

Sid 1-44640

Message

POLICY-OTHER WPA2 key reuse tool attempt

Summary

This event is generated when WPA2 attachk tools are found traversing a network.

Impact

low

CVE-2017-13077:

CVSS base score 6.8

CVSS impact score 5.2

CVSS exploitability score 1.6

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

CVE-2017-13078:

CVSS base score 5.3

CVSS impact score 3.6

CVSS exploitability score 1.6

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

CVE-2017-13079:

CVSS base score 5.3

CVSS impact score 3.6

CVSS exploitability score 1.6

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

CVE-2017-13080:

CVSS base score 5.3

CVSS impact score 3.6

CVSS exploitability score 1.6

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

CVE-2017-13081:

CVSS base score 5.3

CVSS impact score 3.6

CVSS exploitability score 1.6

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

CVE-2017-13082:

CVSS base score 8.1

CVSS impact score 5.2

CVSS exploitability score 2.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

CVE-2017-13084:

CVSS base score 6.8

CVSS impact score 5.2

CVSS exploitability score 1.6

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

CVE-2017-13086:

CVSS base score 6.8

CVSS impact score 5.2

CVSS exploitability score 1.6

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

CVE-2017-13087:

CVSS base score 5.3

CVSS impact score 3.6

CVSS exploitability score 1.6

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

CVE-2017-13088:

CVSS base score 5.3

CVSS impact score 3.6

CVSS exploitability score 1.6

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Detailed information

This rule catches several key components of the python script and scapy utilities found to attack WPA2 networks through key reuse CVE-2017-13077: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

CVE-2017-13078: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.

CVE-2017-13079: Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.

CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.

CVE-2017-13081: Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.

CVE-2017-13082: Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

CVE-2017-13084: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

CVE-2017-13086: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

CVE-2017-13087: Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.

CVE-2017-13088: Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.

Affected systems

  • w1.fi hostapd 0.2.4
  • w1.fi hostapd 0.2.5
  • w1.fi hostapd 0.2.6
  • w1.fi hostapd 0.2.8
  • w1.fi hostapd 0.3.7
  • w1.fi hostapd 0.3.9
  • w1.fi hostapd 0.3.10
  • w1.fi hostapd 0.3.11
  • w1.fi hostapd 0.4.7
  • w1.fi hostapd 0.4.8
  • w1.fi hostapd 0.4.9
  • w1.fi hostapd 0.4.10
  • w1.fi hostapd 0.4.11
  • w1.fi hostapd 0.5.7
  • w1.fi hostapd 0.5.8
  • w1.fi hostapd 0.5.9
  • w1.fi hostapd 0.5.10
  • w1.fi hostapd 0.5.11
  • w1.fi hostapd 0.6.8
  • w1.fi hostapd 0.6.9
  • w1.fi hostapd 0.6.10
  • w1.fi hostapd 0.7.3
  • w1.fi hostapd 1.0
  • w1.fi hostapd 1.1
  • w1.fi hostapd 2.0
  • w1.fi hostapd 2.1
  • w1.fi hostapd 2.2
  • w1.fi hostapd 2.3
  • w1.fi hostapd 2.4
  • w1.fi hostapd 2.5
  • w1.fi hostapd 2.6
  • w1.fi wpa_supplicant 0.2.4
  • w1.fi wpa_supplicant 0.2.5
  • w1.fi wpa_supplicant 0.2.6
  • w1.fi wpa_supplicant 0.2.7
  • w1.fi wpa_supplicant 0.2.8
  • w1.fi wpa_supplicant 0.3.7
  • w1.fi wpa_supplicant 0.3.8
  • w1.fi wpa_supplicant 0.3.9
  • w1.fi wpa_supplicant 0.3.10
  • w1.fi wpa_supplicant 0.3.11
  • w1.fi wpa_supplicant 0.4.7
  • w1.fi wpa_supplicant 0.4.8
  • w1.fi wpa_supplicant 0.4.9
  • w1.fi wpa_supplicant 0.4.10
  • w1.fi wpa_supplicant 0.4.11
  • w1.fi wpa_supplicant 0.5.7
  • w1.fi wpa_supplicant 0.5.8
  • w1.fi wpa_supplicant 0.5.9
  • w1.fi wpa_supplicant 0.5.10
  • w1.fi wpa_supplicant 0.5.11
  • w1.fi wpa_supplicant 0.6.8
  • w1.fi wpa_supplicant 0.6.9
  • w1.fi wpa_supplicant 0.6.10
  • w1.fi wpa_supplicant 0.7.3
  • w1.fi wpa_supplicant 1.0
  • w1.fi wpa_supplicant 1.1
  • w1.fi wpa_supplicant 2.0
  • w1.fi wpa_supplicant 2.1
  • w1.fi wpa_supplicant 2.2
  • w1.fi wpa_supplicant 2.3
  • w1.fi wpa_supplicant 2.4
  • w1.fi wpa_supplicant 2.5
  • w1.fi wpa_supplicant 2.6
  • canonical ubuntu_linux 14.04
  • canonical ubuntu_linux 16.04
  • canonical ubuntu_linux 17.04
  • debian debian_linux 8.0
  • debian debian_linux 9.0
  • freebsd freebsd *
  • freebsd freebsd 10
  • freebsd freebsd 10.4
  • freebsd freebsd 11
  • freebsd freebsd 11.1
  • opensuse leap 42.2
  • opensuse leap 42.3
  • redhat enterpriselinuxdesktop 7
  • redhat enterpriselinuxserver 7
  • suse linuxenterprisedesktop 12
  • suse linuxenterprisepointofsale 11
  • suse linuxenterpriseserver 11
  • suse linuxenterpriseserver 12
  • suse openstack_cloud 6

Ease of attack

CVE-2017-13077:

Access Vector

Access Complexity

Authentication

CVE-2017-13078:

Access Vector

Access Complexity

Authentication

CVE-2017-13079:

Access Vector

Access Complexity

Authentication

CVE-2017-13080:

Access Vector

Access Complexity

Authentication

CVE-2017-13081:

Access Vector

Access Complexity

Authentication

CVE-2017-13082:

Access Vector

Access Complexity

Authentication

CVE-2017-13084:

Access Vector

Access Complexity

Authentication

CVE-2017-13086:

Access Vector

Access Complexity

Authentication

CVE-2017-13087:

Access Vector

Access Complexity

Authentication

CVE-2017-13088:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • papers.mathyvanhoef.com/ccs2017.pdf