#VU8837 Key management errors


Published: 2017-10-17 | Updated: 2017-10-17

Vulnerability identifier: #VU8837

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2017-13077

CWE-ID: CWE-320

Exploitation vector: Local network

Exploit availability: No

Description
The vulnerability allows an adjacent attacker to force a supplicant to reinstall a previously used pairwise key.

The weakness exists in the processing of the 802.11i 4-way handshake messages of the WPA and WPA2 protocols due to ambiguities in the processing of associated protocol messages. An adjacent attacker can use man-in-the-middle techniques to retransmit previously used message exchanges between supplicant and authenticator.

External links
http://www.krackattacks.com/
http://papers.mathyvanhoef.com/ccs2017.pdf

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in ESP-IDF
Multiple vulnerabilities in ESP-IDF
SUSE update for wpa_supplicant
Key management errors in firefox-esr (Alpine package)
Key management errors in busybox (Alpine package)
Multiple vulnerabilities in Google Android
Gentoo update for hostapd and wpa_supplicant
Multiple vulnerabilities in Rockwell Automation Stratix 5100
Slackware Linux update for wpa_supplicant
Debian update for wpa