Out-of-Cycle Security Bulletin: Multiple Products: Multiple vulnerabilities in Wi-Fi Protected Access (WPA1/WPA2) protocols (aka KRACK attack).

Product Affected:

This issue affects Junos OS 12.1X46. Affected platforms: SRX 210, 240, 650 series firewalls with AX411 Wireless Access Points. This issue affects ScreenOS 6.3. Affected platforms: ScreenOS SSG-5 and SSG-20 devices with embedded Wireless Access Points radios. This issue affects WLAN 9.2, 9.6. Affected platforms: MSS.

 

Problem:

A series of Wi-Fi Protected Access (WPA/WPA1) and Wi-Fi Protected Access II (WPA2) security protocols used in Juniper’s SRX 210, 240, 650 series firewalls which support the AX411 Access Points, ScreenOS SSG-5 and SSG-20 firewalls with integrated WiFi radios, and lastly, the WLAN product line have one or more vulnerabilities present when these Wi-Fi radios are enabled.
This is a series of protocol level vulnerabilities and not specific to any Juniper products. WPA and WPA2 security protocols are present in nearly all modern Wi-Fi products.
Successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network.
The following CVE IDs have been issued for each of the possible vulnerabilities:
CVE-2017-13077 reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078 reinstallation of the group key in the Four-way handshake
CVE-2017-13079 reinstallation of the integrity group key in the Four-way handshake
CVE-2017-13080 reinstallation of the group key in the Group Key handshake
CVE-2017-13081 reinstallation of the integrity group key in the Group Key handshake
Juniper's products do not support Fast BSS Transition Reassociation so are Not Vulnerable to CVE-2017-13082.
The following CVE IDs are still under investigation:
CVE-2017-13084 reinstallation of the STK key in the PeerKey handshake
CVE-2017-13086 reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
CVE-2017-13087 reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088 reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
The research paper referenced in the related links section below can be reviewed for details.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered by an external security researcher.

No other Juniper Networks products or platforms are affected by this issue.

Solution:

WLAN
MSS 9.2.1, 9.6.5, and all subsequent releases.

This issue is being tracked as PR 1297300 and is visible on the Customer Support website.

Workaround:

There are no viable workarounds for these issues.
The following methods may be used to reduce the possibility of exploitation:
SRX 210, 240, 650 series firewalls with AX411 Wireless Access Points:
Disabling all Wi-Fi configurations and setting all ports with AX411 Access Points administratively down will protect the SRX device from exploitation.
Customers may also physically disconnect the AX411 Wi-Fi Access Points from their network.
ScreenOS devices with embedded Wireless Access Points:
Disable all Wi-Fi configurations.
WLAN:
Disable all Wi-Fi Access Points until such time that the MSS can be upgraded.

 

Implementation:

Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.

 

Modification History:

Modification History: 2017-10-16: Initial publication

 

Related Links:

• KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process

• KB16765: In which releases are vulnerabilities fixed?

• KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories

• Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team

• https://papers.mathyvanhoef.com/ccs2017.pdf

• AX411 Access Point Hardware

 

CVSS Score:

7.9 (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

 

Risk Level:

High

 

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

 

Acknowledgements:

Juniper SIRT would like to acknowledge and thank

   * researchers Mathy Vanhoef and Frank Piessens of DistriNet (Distributed Systems and Computer Networks) at the Computer Science department of the Katholieke Universiteit Leuven, Belgium for responsibly disclosing these vulnerabilities.
   * John A. Van Boxtel with Cyprus Semiconductor for finding that wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.

User Interface update on JUNOS Software Download page - providing a URL for on device download

The user interface of the JUNOS Software Download page - https://www.juniper.net/support/downloads/group/?f=junos - has been updated. The last step in downloading software has been modified. The change will be in production on 2017-10-13T19:30:00-07:00

Solution:

The user interface of the JUNOS Software Download page - https://www.juniper.net/support/downloads/group/?f=junos - has been updated. The last step in downloading software has been modified to

1. Enhance automation by providing a URL of the image that can be used with command line tools such as "curl", "wget", or "cli> file copy ..." on a JUNOS device
2. The software image download no longer starts automatically via a user's browser. A user can choose to either click to download, or copy the image's URL to use on another device

The change will be in production on 2017-10-13T19:30:00-07:00

Implementation:

The user interface of the JUNOS Software Download page - https://www.juniper.net/support/downloads/group/?f=junos - has been updated as follow:
After a user selects a JUNOS image, the software download displays the "End User License Agreement" (EULA). The user reviews the EULA and can either agree or disagree with the EULA. If a user agrees, the image is downloaded using the user's browser within a couple of seconds.
​
Figure 1: Current software download step - after a user accepts the EULA, they are transferred to this page. The image downloads automatically after a few seconds delay to the browser download directory.


We received feedback from users that downloading a large image via a browser to use the image in the field is not optimal. Many users prefer to get the URL of the image. They can then use the URL on their devices to copy the image to local storage directly. To illustrate this scenario, a user has to:

1. Interrupt the download - one usually interrupts the automatic download since the browser starts downloading the image to the desktop within a couple of seconds
2. Copy the image's URL - usually by righ-click on the "Click to Download" link to get the URL
3. Delete the partially downloaded image on the browser download folder

The last step in downloading software has been modified to

1. Enhance automation by providing a URL of the image that can be used with command line tools such as "curl", "wget", or "cli> file copy ..." on a JUNOS device
2. The software image download is no longer starts automatically via a user's browser. A user can choose to either click to download, or copy the image's URL to use on another device

Figure 2: The new user interface to the last step of JUNOS software download procedure. The interface provides a URL to the image, or the ability to download the image via the browser